I am trying to understand, If I can setup a multiple node SSL Cluster with a Certificate signed by my organization without the need of adding each node as a SAN to the certificate.
Coz we keep adding nodes to the cluster, and I want to avoid asking for a updated Certificate with a new node added to SAN.
Currently I am setting the following properties in nifi.properties as the fqdn or the ip
nifi.web.https.host=10.38.140.239
nifi.cluster.node.address=10.38.140.239
nifi.remote.input.host=10.38.140.239
And setting the proxy host with the cname
nifi.web.proxy.host=ssl_cert_cname.foo.com:8443
And inside my authorizers.xml, I am adding the cname as the initial node/user identity
<userGroupProvider>
...
<property name="Initial User Identity 4">CN=ssl_cert_cname.foo.com, OU=nifi, O=Unknown, L=Unknown, ST=Unknown, C=Unknown</property>
</userGroupProvider>
<accessPolicyProvider>
...
<property name="Node Identity 3">CN=ssl_cert_cname.foo.com, OU=nifi, O=Unknown, L=Unknown, ST=Unknown, C=Unknown</property>
</accessPolicyProvider>
Currently I am adding the <ip> of all the nodes in the cluster, to the cert's SAN to make it work.
Responses will be appreciated.Thanks