Created on 02-07-2018 06:07 PM - edited 09-16-2022 05:50 AM
Hello,
I'm trying to configure an AWS AMI as a preconfigured NiFi node which is ready to join my existing 3 node NiFi cluster.
I took an image of a working node, where I have successfully ran the tls-toolkit.sh in client mode to point to one of the nodes which is running tls-toolkit in server mode. I've been able to use the toolkit on all 3 working nodes to get a secure cluster up and running.
On a new instance which was deployed using the image of the working node, I'm now trying to run the tls-toolkit in client mode to get a signed cert from the CA node (nifi-01), and am getting the following error:
root@ip-10-20-100-82:/etc/nifi/pki# bash /etc/nifi/nifi-toolkit-1.5.0/bin/tls-toolkit.sh client -c nifi-01 -t mytoken -p 10000 Service client error: null Usage: tls-toolkit service [-h] [args] Services: standalone: Creates certificates and config files for nifi cluster. server: Acts as a Certificate Authority that can be used by clients to get Certificates client: Generates a private key and gets it signed by the certificate authority. status: Checks the status of an HTTPS endpoint by making a GET request using a supplied keystore and truststore.
Since this is an image of a working node, everything regarding Java, JAVA_HOME, etc is all exactly the same.
I verified that this new node can resolve and connect to nifi-01 on port 10000. I used tcpdump to watch for traffic between the 2 when running the toolkit, and there is no traffic generated.
Please help!
Thanks.
Created 02-08-2018 07:35 PM
I figured it out.
The system that runs tls-toolkit in client mode first attempts to resolve it's hostname. If it receives a SERVFAIL in response, you get the error above.
You can resolve it by either adding a new A record to the DNS server(s), or as a workaround, add an entry to the /etc/hosts file for that system's hostname and IP.
Created 02-08-2018 07:35 PM
I figured it out.
The system that runs tls-toolkit in client mode first attempts to resolve it's hostname. If it receives a SERVFAIL in response, you get the error above.
You can resolve it by either adding a new A record to the DNS server(s), or as a workaround, add an entry to the /etc/hosts file for that system's hostname and IP.