Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Using CA issued cert for SSL

avatar
New Contributor

Trying to enable SSL in NiFi using an enterprise issued certifcate. Cannot use self-signed cert. In client browser getting ERR_CERT_AUTHORITY_INVALID. Used NiFi toolkit to create keystore and trustore. Can get to NiFi UI in browser on server using localhost but not from other servers. If I set web.https.host to DNS name then I don't get ERR_CERT_AUTHORITY_INVALID from outside browser but instead get timeout. 

2 REPLIES 2

avatar
Super Mentor

@dontiffjr 

The exception in your browser ERR_CERT_AUTHORITY_INVALID typically means that the trust chain for your NiFi's serverAuth certificate is not trusted by your browser.  You should see an option in the browser to "proceed to ...".  If you click on that, can you get to the NiFi UI?
You can also use openssl command to inspect the server hello coming from your NiFi and obtain the public cert for your NiFi server's certificate.  You can load those public certificates into you browser trust.

openssl s_client -connect <nifi-hostname>:<nifi-port> -showcerts



Next thing to look at would be the contents of your certificate.

<path to java>/bin/keytool -v -list -keystore <path to>/keystore.jks

You'll want to make sure it contains:
1. A DN that does not contain wildcards

2. ExtendedKeyUsage (EKU) with both clientAuth and serverAuth
3. SubjectAlternativeName (SAN) with entry that matches the hostname of the server on which it is being used.
4. verify issue and expiration dates for certificate and that server clock and your local client machine where you are using browser has same date and time.

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

 

avatar
New Contributor
Can't proceed to NiFi UI after the browser error. I will attempt the
actions you mention. I did list with keytool but will do so again looking
for the specifics you mentioned as well. Thanks.