Trying to enable SSL in NiFi using an enterprise issued certifcate. Cannot use self-signed cert. In client browser getting ERR_CERT_AUTHORITY_INVALID. Used NiFi toolkit to create keystore and trustore. Can get to NiFi UI in browser on server using localhost but not from other servers. If I set web.https.host to DNS name then I don't get ERR_CERT_AUTHORITY_INVALID from outside browser but instead get timeout.
The exception in your browser ERR_CERT_AUTHORITY_INVALID typically means that the trust chain for your NiFi's serverAuth certificate is not trusted by your browser. You should see an option in the browser to "proceed to ...". If you click on that, can you get to the NiFi UI?
You can also use openssl command to inspect the server hello coming from your NiFi and obtain the public cert for your NiFi server's certificate. You can load those public certificates into you browser trust.
openssl s_client -connect <nifi-hostname>:<nifi-port> -showcerts
Next thing to look at would be the contents of your certificate.
<path to java>/bin/keytool -v -list -keystore <path to>/keystore.jks
You'll want to make sure it contains:
1. A DN that does not contain wildcards
2. ExtendedKeyUsage (EKU) with both clientAuth and serverAuth
3. SubjectAlternativeName (SAN) with entry that matches the hostname of the server on which it is being used.
4. verify issue and expiration dates for certificate and that server clock and your local client machine where you are using browser has same date and time.
If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.