Support Questions

Find answers, ask questions, and share your expertise

Unable to start NiFI after i go HTTPS.?

avatar
Super Collaborator

Hi,

I am using the latest version of NiFi and was working with HTTP recently. i tried to go HTTPS by doing the steps below and my NiFi wont start..

keytool -genkey -alias localhost -keyalg RSA -keysize 1024 -dname "CN=nifis2s,OU=nestle,O=nestle,L=selfsigned,ST=stl,C=us" -keypass testpass-keystore localhost.keystore.jks -storepass testpass

keytool -export -alias localhost -keystore localhost.keystore.jks -rfc -file localhost.cert -storepass testpass

keytool -import -noprompt -alias localhost -file localhost.cert -keystore localhost.truststore.jks -storepass testpass

it generated keystore.jks and truststore.jks files. and i pointed them in nifi.config and changed it use https. also added entry in to authorizers.xml with initial user as "CN=nifis2s,OU=nestle,O=nestle,L=selfsigned,ST=stl,C=us"

but when i tried to start up nifi after changes , it wont start up after some time it is shutting down with this errors below.

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'x509AuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: javax.xml.bind.UnmarshalException

does CN=nifis2s,OU=nestle,O=nestle,L=selfsigned,ST=stl,C=us need to be a valid user on the machine.?

i tried with different combinations like CN=nifiuser,OU=test

is there anything that i am missing.??

21 REPLIES 21

avatar

Your truststore has two trustedCertEntries -- one for the server cert and one for the client. I don't know what browser you are using to attempt to access the UI, so I don't know why it is not prompting you for a client certificate. I recommend you use the following OpenSSL command to attempt a client connection from the command line and either verify that it successfully negotiates a mutually-authenticated handshake or fails and you can provide more error output. The command is on this Gist I have published.

$ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>

If you do not have your various certificates and keys in the correct format to use with this command, sections 2, 3, and 6 will allow you to export them to the right format.

It also appears from your earlier comment that you generated the client certificate and then stored it in your keystore. This is unnecessary and incorrect. The various keystores and certificates should be as follows:

  • Keystore
    • Used by NiFi application
    • Contains private key and public certificate (single PrivateKeyEntry entry) used by the server to identify itself
    • The public certificate should contain multiple certificates in the chain (in the same entry) to reach a trusted signing certificate (either one you control and manually trust, or a publicly-trusted certificate)
  • Truststore
    • Used by the NiFi application
    • Contains arbitrary number of trustedCertEntry entries (all public certificate(s) only) to verify "peer" certificates (either incoming client connections or connections NiFi makes to external resources, i.e. to ingest data from an HTTPS site)
  • Client certificate
    • Usually stored in PKCS12 keystore (*.p12)
    • Must contain the private key and public certificate with CN=<user name>
    • Certificate must be explicitly trusted or signed by known trusted certificate in truststore
    • Certificate must have complete chain in order for truststore to build certificate validation path

avatar
Super Collaborator

@Andy LoPresto

i have generated all the .pems as you suggested and tried to test from openssl command line.

It looks like it is able to do the hand shake , but showing a alert\warning towards the end..i am attaching the log from openssl