Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Securing NiFi - Cannot see UI

Labels:
avatar
author-rank frassis
New Contributor

Created on ‎11-15-2019 01:48 PM - last edited on ‎11-15-2019 03:09 PM by Moderator

Hi folks,

 

We have been struggling for the past 3 weeks trying to secure a cluster.

We have 3 nodes. They were working ok in a cluster (but not secured).

When trying to secure those (and following the guide suggested here), we came across the following message when trying to access the UI:

 

javax.net.ssl.SSLPeerUnverifiedException: Hostname <my_fqdn_is_here> not verified: certificate: sha256/716mOuXyoAKqzNrXrNnG2ozHXwN8WWJsVxzWzfQzpNV= DN: CN=xxx-xxxx-xxxx.xxx.xxx.net, OU=XXXXXXXXX XXXXXX, O=XXXXX, L=XXXXXX, ST=XXXXXX XXXXX, C=CA subjectAltNames: [] 

 

We've been going over and over the configs and nothing seems to point to the right direction.

Would anyone point us to at least the right direction? 

2,787 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎11-18-2019 05:49 AM

@frassis 

 

The error message you have encountered indicates and issue with the certificates you are using to secure your NiFi nodes.

 

javax.net.ssl.SSLPeerUnverifiedException: Hostname <my_fqdn_is_here> not verified: certificate: sha256/716mOuXyoAKqzNrXrNnG2ozHXwN8WWJsVxzWzfQzpNV= DN: CN=xxx-xxxx-xxxx.xxx.xxx.net, OU=XXXXXXXXX XXXXXX, O=XXXXX, L=XXXXXX, ST=XXXXXX XXXXX, C=CA subjectAltNames: []


Jetty no longer uses the DN to verify hostnames and now requires that the certificates include at least 1 Subject Alternative Name (SAN) entry that matches the hostname of the server on which it is being used.

As you can see from the ERROR output, it indicates you have no SAN entries in your cert.  

subjectAltNames: []

 

You will need to generate new certificates and keystores for your NiFi nodes.
When doing so keep in mind the following:
1. Keystore may contain ONLY 1 PrivateKeyEntry
2. The PrivateKeyEntry MUST support both "clientAuth" and "serverAuth"
3. The PrivateKeyEntry MUST contain at least 1 SAN entry matching the hostname of the server where keystore will be used.
4. The Keystore and Key passwords must be the same. Or no key password set.

Thank you,

Matt

View solution in original post

2,745 Views
0 Kudos
4 REPLIES 4

avatar
ask_bill_brooks author-rank
Moderator

Created on ‎11-15-2019 03:11 PM - edited ‎11-15-2019 03:12 PM

@frassis You wrote that you were " following the guide suggested here", but there was no indication as to what guide you were actually following. Did you perhaps forget the hyperlink?

 

 

 

 

Bill Brooks, Community Moderator
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
2,771 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎11-18-2019 05:49 AM

@frassis 

 

The error message you have encountered indicates and issue with the certificates you are using to secure your NiFi nodes.

 

javax.net.ssl.SSLPeerUnverifiedException: Hostname <my_fqdn_is_here> not verified: certificate: sha256/716mOuXyoAKqzNrXrNnG2ozHXwN8WWJsVxzWzfQzpNV= DN: CN=xxx-xxxx-xxxx.xxx.xxx.net, OU=XXXXXXXXX XXXXXX, O=XXXXX, L=XXXXXX, ST=XXXXXX XXXXX, C=CA subjectAltNames: []


Jetty no longer uses the DN to verify hostnames and now requires that the certificates include at least 1 Subject Alternative Name (SAN) entry that matches the hostname of the server on which it is being used.

As you can see from the ERROR output, it indicates you have no SAN entries in your cert.  

subjectAltNames: []

 

You will need to generate new certificates and keystores for your NiFi nodes.
When doing so keep in mind the following:
1. Keystore may contain ONLY 1 PrivateKeyEntry
2. The PrivateKeyEntry MUST support both "clientAuth" and "serverAuth"
3. The PrivateKeyEntry MUST contain at least 1 SAN entry matching the hostname of the server where keystore will be used.
4. The Keystore and Key passwords must be the same. Or no key password set.

Thank you,

Matt

2,746 Views
0 Kudos

avatar
author-rank gdizzz
New Contributor

Created ‎11-19-2019 11:34 AM

Hey @MattWho, thank you very much for this.

 

Quick question, how do you determine if the PrivateKeyEntry supports both?

 

"The PrivateKeyEntry MUST support both "clientAuth" and "serverAuth""? 

 

I don't see this when i use keytool -v

2,714 Views
0 Kudos

avatar
author-rank frassis
New Contributor

Created ‎12-02-2019 11:19 AM

Thanks Matt,

 

With new certs, like you mentioned, we were able to make it work.

2,665 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements