Support Questions

Find answers, ask questions, and share your expertise

Understanding NiFi Certificates functionality

avatar
Contributor

Hello all,

Please bear with me if I ask a simple/basic question. I am new to NiFi and appreciate your patience and support.

I am setting up secure NiFi in 2 clusters. I am using NiFi 1.15.3 version in my setup. My cluster 1 has nodes: node1, node2, node3 and cluster 2 has nodes: node4, node5, node6.

I have created certificates in my organization by setting node1 as primary node and other nodes as alternative nodes. I use the same certificates in both clusters since I added all the nodes to the certificate when creating it.

My cluster 1 starts and I can able to login to web ui with admin user without any issues. However, my cluster 2 starts without any issues but when I try to login, it throws:

Insufficient permission. Untrusted proxy CN=node1, O=xxxx, L=yyyy, ST=zzzz, C=US

and in logs:

o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed GET https://node4:8443/nifi-api/flow/current-user [Untrusted proxy CN=node1, O=xxxx, L=yyyy, ST=zzzz, C=US]

As a part of troubleshooting, I added the node1 as initial user and node identity in cluster 2's authorizers.xml file. After deleting users.xml and authorizations.xml and restarting the NiFi, I was able to login to web UI.

My questions:
1. Should I add the certificate's primary node as initial user and node identity where ever I use this certificate?
2. What if the primary node went down for some reason. Will it cause any issue?

Appreciate any help on this.

Regards

1 ACCEPTED SOLUTION

avatar
Super Guru

Hi, @spserd ,

 

Please have a look at this section of the NiFi documentation. It says:

 


Wildcard certificates (i.e. two nodes node1.nifi.apache.org and node2.nifi.apache.org being assigned the same certificate with a CN or SAN entry of *.nifi.apache.org) are not officially supported and not recommended. There are numerous disadvantages to using wildcard certificates, and a cluster working with wildcard certificates has occurred in previous versions out of lucky accidents, not intentional support. Wildcard SAN entries are acceptable if each cert maintains an additional unique SAN entry and CN entry.

Even though you are not using an asterisk wildcard your single certificate doesn't meet the requirements of a unique SAN and CN entries and is not recommended/supported. You should have separate certificates for each host.

Cheers,

André

 

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

2 REPLIES 2

avatar
Super Guru

Hi, @spserd ,

 

Please have a look at this section of the NiFi documentation. It says:

 


Wildcard certificates (i.e. two nodes node1.nifi.apache.org and node2.nifi.apache.org being assigned the same certificate with a CN or SAN entry of *.nifi.apache.org) are not officially supported and not recommended. There are numerous disadvantages to using wildcard certificates, and a cluster working with wildcard certificates has occurred in previous versions out of lucky accidents, not intentional support. Wildcard SAN entries are acceptable if each cert maintains an additional unique SAN entry and CN entry.

Even though you are not using an asterisk wildcard your single certificate doesn't meet the requirements of a unique SAN and CN entries and is not recommended/supported. You should have separate certificates for each host.

Cheers,

André

 

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Contributor

Thanks Andre. Appreciate your help!