Created 05-06-2019 09:47 PM
Hi All,
I am unable to login to NiFi via chrome browser after enabling https.
NiFi is running successfully with https URL as per nifi log but my browser is not accepting the https link and I do get below error when I try to login using https.
Below is from nifi.log:
2019-05-06 11:55:36,551 INFO [main] org.apache.nifi.web.server.JettyServer NiFi has started. The UI is available at the following URLs:
2019-05-06 11:55:36,551 INFO [main] org.apache.nifi.web.server.JettyServer https://192.168.1.145:8087/nifi
2019-05-06 11:55:36,551 INFO [main] org.apache.nifi.web.server.JettyServer https://127.0.0.1:8087/nifi
2019-05-06 11:55:36,553 INFO [main] org.apache.nifi.BootstrapListener Successfully initiated communication with Bootstrap
2019-05-06 11:55:36,553 INFO [main] org.apache.nifi.NiFi Controller initialization took 24246616620 nanoseconds (24 seconds).
When I tried to login using URL - https://192.168.1.145:8087/nifi
I do get below error in Chrome browser:
**********************************
192.168.1.145 didn’t accept your login certificate, or one may not have been provided.
ERR_BAD_SSL_CLIENT_AUTH_CERT
************************************
Can anyone help me on this?
Created 05-07-2019 01:16 PM
By default when NiFi is secured it requires that user authenticate themselves via client/user certificate. If an alternate authentication method has been enabled and the user has not presented a client certificate in the TLS/SSL handshake, then NiFi will redirect to that alternate authentication method.
NiFi can be configured to support these additional authentication methods (keep in mind that TLS/SSL authentication is always enabled and checked first):
The ERROR you are seeing displayed in your browser indicates that your browser did not present a user/client certificate to your secured NiFi instance. There are a couple reasons this can happen:>
If you have a login-provider like "ldap-provider" configured in your NiFi authorizers.xml file, make sure you have configured NiFi to use that login provider in the nifi.properties file.
NiFi does not provide a method to create locally managed users for login based authentication. Locally defined users/groups only exist to handle the authorizations of already authenticated user identities.
I hope this get you going in the direction needed to get secured access to your secured NiFi working for you.
Thank you,
Matt
If you found this answer addressed your question, please take a moment to login in and click the "ACCEPT" link.
Created 05-07-2019 02:23 PM
*** Community Forum Tip: Try to avoid starting a new answer in response to an existing answer. Instead use comments to respond to existing answers. There is no guaranteed order to different answer which can make it hard following a discussion.
Without the verbose output for for your client/user certificate and the NiFi truststore.jks file, it is a little difficult to help troubleshoot this issue.
Running the following command with help me understand what the secured NIFi is presenting in the Server Hello portion of the TLS/SSL handshake:
openssl s_client -connect 192.168.1.145:8087
Within the output of the above you will find a section "Acceptable client certificate CA names" which will be a list of trusted authorities.
You need to make sure that the complete trust chain for your client/user certificate is included in the list of authorities.
Did you try loading your certificate in another browser like Firefox?
Did you try clearing your cache in Chrome?
Thank you,
Matt
Created 05-07-2019 01:36 PM
Thanks a lot for your time on this.
Firstly,
In nifi.properties file I did use below truststore:
nifi.security.truststore=/opt/certs/truststore.jks
I did create CA and all required certificates using openSSL and imported to truststore and I am using a single node here.
I did import the CA certificate to browser but still I do see the same issue.
Am I missing anything here?
Also, I did not use any ldap-provider yet and this is my first step to verify https connection for NiFi.
Could you advise me on this.