Member since
05-08-2026
3
Posts
0
Kudos Received
0
Solutions
07-01-2026
09:48 AM
I think this is wrong, but maybe I'm being dumb or missing something obvious here: "certs only need to have the SANs matching what the nodes uses to talk each other." I DO need public DNS names if I don't want users to see cert errors though right? The certs don't _only_ need to match the node names they need to be issued from a trusted CA which requires the nodes to have public DNS names. This is the main issue. I can easily automate issuing self-signed certs for node communication (without having to deploy a whole PKI, DNS, letsencrypt, etc) BUT because NIFI uses the same channel for APIs users will see cert errors and I wont be able to terminate SSL at the LB Perhaps there is a way to issue self-signed certs AND terminate SSL at the LB with a different public cert and then maybe do some kind of redirect? Ultimately users would still be redirected to the URL with the self-signed cert and see errors though I think? I think the only way to do this is... Drop SSL everywhere (but how ?) I've been trying to just drop all security to make it all HTTP so I can terminate SSL at the LB, but this is really poorly documented and I haven't been able to actually get it to do everything HTTP. NIFI has so many of its internals super tightly coupled to HTTPS and there are so many individual configuration fields related to this. Is there any known working config to just set it to HTTP everywhere? I have it running on k8s and I can use security features of the cluster to lock it down instead. Hell I even gave it its own cluster so its even more isolated, I definitely don't need HTTPS for intra-node communication.
... View more