Created 02-17-2022 01:22 PM
Hello all,
Please bear with me if I ask a simple/basic question. I am new to NiFi and appreciate your patience and support.
I am setting up secure NiFi in 2 clusters. I am using NiFi 1.15.3 version in my setup. My cluster 1 has nodes: node1, node2, node3 and cluster 2 has nodes: node4, node5, node6.
I have created certificates in my organization by setting node1 as primary node and other nodes as alternative nodes. I use the same certificates in both clusters since I added all the nodes to the certificate when creating it.
My cluster 1 starts and I can able to login to web ui with admin user without any issues. However, my cluster 2 starts without any issues but when I try to login, it throws:
Insufficient permission. Untrusted proxy CN=node1, O=xxxx, L=yyyy, ST=zzzz, C=US
and in logs:
o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed GET https://node4:8443/nifi-api/flow/current-user [Untrusted proxy CN=node1, O=xxxx, L=yyyy, ST=zzzz, C=US]
As a part of troubleshooting, I added the node1 as initial user and node identity in cluster 2's authorizers.xml file. After deleting users.xml and authorizations.xml and restarting the NiFi, I was able to login to web UI.
My questions:
1. Should I add the certificate's primary node as initial user and node identity where ever I use this certificate?
2. What if the primary node went down for some reason. Will it cause any issue?
Appreciate any help on this.
Regards
Created 02-17-2022 02:41 PM
Hi, @spserd ,
Please have a look at this section of the NiFi documentation. It says:
Wildcard certificates (i.e. two nodes node1.nifi.apache.org and node2.nifi.apache.org being assigned the same certificate with a CN or SAN entry of *.nifi.apache.org) are not officially supported and not recommended. There are numerous disadvantages to using wildcard certificates, and a cluster working with wildcard certificates has occurred in previous versions out of lucky accidents, not intentional support. Wildcard SAN entries are acceptable if each cert maintains an additional unique SAN entry and CN entry.
Even though you are not using an asterisk wildcard your single certificate doesn't meet the requirements of a unique SAN and CN entries and is not recommended/supported. You should have separate certificates for each host.
Cheers,
André
Created 02-17-2022 02:41 PM
Hi, @spserd ,
Please have a look at this section of the NiFi documentation. It says:
Wildcard certificates (i.e. two nodes node1.nifi.apache.org and node2.nifi.apache.org being assigned the same certificate with a CN or SAN entry of *.nifi.apache.org) are not officially supported and not recommended. There are numerous disadvantages to using wildcard certificates, and a cluster working with wildcard certificates has occurred in previous versions out of lucky accidents, not intentional support. Wildcard SAN entries are acceptable if each cert maintains an additional unique SAN entry and CN entry.
Even though you are not using an asterisk wildcard your single certificate doesn't meet the requirements of a unique SAN and CN entries and is not recommended/supported. You should have separate certificates for each host.
Cheers,
André
Created 02-18-2022 06:04 AM
Thanks Andre. Appreciate your help!