Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Unable to login to NiFi after https is enabled

Labels:
avatar
author-rank voruganti_vishw
Explorer

Created ‎05-06-2019 09:47 PM

Hi All,

I am unable to login to NiFi via chrome browser after enabling https.

NiFi is running successfully with https URL as per nifi log but my browser is not accepting the https link and I do get below error when I try to login using https.

Below is from nifi.log:

2019-05-06 11:55:36,551 INFO [main] org.apache.nifi.web.server.JettyServer NiFi has started. The UI is available at the following URLs:

2019-05-06 11:55:36,551 INFO [main] org.apache.nifi.web.server.JettyServer https://192.168.1.145:8087/nifi

2019-05-06 11:55:36,551 INFO [main] org.apache.nifi.web.server.JettyServer https://127.0.0.1:8087/nifi

2019-05-06 11:55:36,553 INFO [main] org.apache.nifi.BootstrapListener Successfully initiated communication with Bootstrap

2019-05-06 11:55:36,553 INFO [main] org.apache.nifi.NiFi Controller initialization took 24246616620 nanoseconds (24 seconds).


When I tried to login using URL - https://192.168.1.145:8087/nifi I do get below error in Chrome browser:

**********************************

192.168.1.145 didn’t accept your login certificate, or one may not have been provided.


  • Try contacting the system admin.

ERR_BAD_SSL_CLIENT_AUTH_CERT

************************************

Can anyone help me on this?


5,584 Views
0 Kudos
3 REPLIES 3

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎05-07-2019 01:16 PM

@Voruganti Vishwanath


By default when NiFi is secured it requires that user authenticate themselves via client/user certificate. If an alternate authentication method has been enabled and the user has not presented a client certificate in the TLS/SSL handshake, then NiFi will redirect to that alternate authentication method.


NiFi can be configured to support these additional authentication methods (keep in mind that TLS/SSL authentication is always enabled and checked first):

  • Spnego
  • LDAP (Login based provider)
  • Kerberos (Login based provider)
  • OpenID connect (Login based provider)
  • Knox SSO (Login based provider)


The ERROR you are seeing displayed in your browser indicates that your browser did not present a user/client certificate to your secured NiFi instance. There are a couple reasons this can happen:>

  1. You do not have a client/user certificate loaded in to your browser.
  2. The client/user certificate you have loaded in your browser was not presented to NiFi because it is not trusted by your NiFi.
    1. The truststore.jks you setup for NiFi when you secured it contains all the certificate authorities that your NiFi is capable of trusting. That means there must be a trustedCertEntry in your NiFi truststore.jks that matches the issuer of your client/user private certificate.


If you have a login-provider like "ldap-provider" configured in your NiFi authorizers.xml file, make sure you have configured NiFi to use that login provider in the nifi.properties file.


NiFi does not provide a method to create locally managed users for login based authentication. Locally defined users/groups only exist to handle the authorizations of already authenticated user identities.


I hope this get you going in the direction needed to get secured access to your secured NiFi working for you.


Thank you,

Matt


If you found this answer addressed your question, please take a moment to login in and click the "ACCEPT" link.


5,416 Views
0 Kudos

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎05-07-2019 02:23 PM

@Voruganti Vishwanath

*** Community Forum Tip: Try to avoid starting a new answer in response to an existing answer. Instead use comments to respond to existing answers. There is no guaranteed order to different answer which can make it hard following a discussion.


Without the verbose output for for your client/user certificate and the NiFi truststore.jks file, it is a little difficult to help troubleshoot this issue.

Running the following command with help me understand what the secured NIFi is presenting in the Server Hello portion of the TLS/SSL handshake:

openssl s_client -connect 192.168.1.145:8087


Within the output of the above you will find a section "Acceptable client certificate CA names" which will be a list of trusted authorities.


You need to make sure that the complete trust chain for your client/user certificate is included in the list of authorities.


Did you try loading your certificate in another browser like Firefox?
Did you try clearing your cache in Chrome?


Thank you,

Matt

5,416 Views
0 Kudos

avatar
author-rank voruganti_vishw
Explorer

Created ‎05-07-2019 01:36 PM

@Matt Clarke

Thanks a lot for your time on this.

Firstly,

In nifi.properties file I did use below truststore:

nifi.security.truststore=/opt/certs/truststore.jks

I did create CA and all required certificates using openSSL and imported to truststore and I am using a single node here.

I did import the CA certificate to browser but still I do see the same issue.

Am I missing anything here?

Also, I did not use any ldap-provider yet and this is my first step to verify https connection for NiFi.

Could you advise me on this.



5,416 Views
0 Kudos
webinar banner
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements
meetups banner