I am trying to understand, If I can setup a multiple node SSL Cluster with a Certificate signed by my organization without the need of adding each node as a SAN to the certificate.
Coz we keep adding nodes to the cluster, and I want to avoid asking for a updated Certificate with a new node added to SAN.
Currently I am setting the following properties in nifi.properties as the fqdn or the ip
nifi.web.https.host=10.38.140.239 nifi.cluster.node.address=10.38.140.239 nifi.remote.input.host=10.38.140.239
And setting the proxy host with the cname
And inside my authorizers.xml, I am adding the cname as the initial node/user identity
<userGroupProvider> ... <property name="Initial User Identity 4">CN=ssl_cert_cname.foo.com, OU=nifi, O=Unknown, L=Unknown, ST=Unknown, C=Unknown</property> </userGroupProvider>
<accessPolicyProvider> ... <property name="Node Identity 3">CN=ssl_cert_cname.foo.com, OU=nifi, O=Unknown, L=Unknown, ST=Unknown, C=Unknown</property> </accessPolicyProvider>
Currently I am adding the <ip> of all the nodes in the cluster, to the cert's SAN to make it work.
Responses will be appreciated.Thanks
@Vinit Sacheti, just F.Y.I…you submitted a question substantially similar to the above post with the title nifi ssl cluster avoid adding host to san that was rejected by the moderators of HCC, on the grounds that it was essentially a duplicate of the above.