Member since
09-08-2023
2
Posts
1
Kudos Received
0
Solutions
09-08-2023
02:39 PM
1 Kudo
Thank you @MattWho for the answer and @cjervis for the tags. That did solve my issue but it took me a couple tries. I will be marking yours as the solution but including this note for future readers in case they run into the same thing I did. I had been copy-pasting commands in order to keep notes on my steps and at some point one of the two dashes on the --subjectAlternativeNames had been replaced by a different kind of dash character.
... View more
09-08-2023
11:25 AM
I am configuring a new 3 node NiFi cluster on three AWS EC2 instances. I'm attempting to use the tls-toolkit.sh utility to generate the SSL keystore.jks and truststore.jks for each of the 3 nodes. It generates them and I can start the cluster but when I load the UI it seems like it's working but then I get this message. An unexpected error has occurred (log out) (home) javax.net.ssl.SSLPeerUnverifiedException: Hostname my.elb.name not verified: certificate: sha256/LhH2H...hkIE= DN: CN=node1.server.name, OU=NIFI subjectAltNames: [node1.server.name] The nifi-app.log has basically the same to say about it. WARN [Replicate Request Thread-7] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to my.elb.name:port due to javax.net.ssl.SSLPeerUnverifiedException: Hostname my.elb.name not verified: ... subjectAltNames: [node1.server.name] I would have expected the subjectAltNames to include my.elb.name because I included it in my tls-toolkit command. export JAVA_HOME="/usr/lib/jvm/java-11-openjdk-11.0.19.0-7-4.el8.x86_64" ./tls-toolkit.sh standalone -n 'node1.server.name,node2.server.name,node3.server.name' --subjectAlternativeNames 'CN=my.elb.name, OU=NIFI' To investigate further I performed the following commands to examine the contents of what tls-toolkit generated for me. keytool -list -v -keystore keystore.jks -storepass redactedpassword1 -storetype JKS keytool -list -v -keystore truststore.jks -storepass redactedpassword2 -storetype JKS The output contains no reference to my.elb.name at all. They only list node1.server.name as a SubjectAlternativeName: DNSName. I'm guessing that I'm calling tls-toolkit.sh incorrectly but I'm not sure how to do it correctly. I've been using these pages as reference but I guess I'm missing some important detail. https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#standalone Generating Knox Certificates Using the TLS Toolkit (cloudera.com) Can someone please help me understand what I'm doing wrong? Here are a few variations on the command that I tested but have also have not resulted in the expected Subject Alternative Name in the keytool -list. (single dash instead of double dash) ./tls-toolkit.sh standalone -n 'node1.server.name,node2.server.name,node3.server.name' -subjectAlternativeNames 'CN=my.elb.name, OU=NIFI' (my.elb.name without the CN and OU) ./tls-toolkit.sh standalone -n 'node1.server.name,node2.server.name,node3.server.name' --subjectAlternativeNames 'my.elb.name' (double quotes instead of single quotes for the SAN parameter) ./tls-toolkit.sh standalone -n 'node1.server.name,node2.server.name,node3.server.name' --subjectAlternativeNames "CN=my.elb.name, OU=NIFI"
... View more
Labels:
- Labels:
-
Apache NiFi