I figured it out. The system that runs tls-toolkit in client mode first attempts to resolve it's hostname. If it receives a SERVFAIL in response, you get the error above. You can resolve it by either adding a new A record to the DNS server(s), or as a workaround, add an entry to the /etc/hosts file for that system's hostname and IP.
... View more
Hello, I'm trying to configure an AWS AMI as a preconfigured NiFi node which is ready to join my existing 3 node NiFi cluster. I took an image of a working node, where I have successfully ran the tls-toolkit.sh in client mode to point to one of the nodes which is running tls-toolkit in server mode. I've been able to use the toolkit on all 3 working nodes to get a secure cluster up and running. On a new instance which was deployed using the image of the working node, I'm now trying to run the tls-toolkit in client mode to get a signed cert from the CA node (nifi-01), and am getting the following error: root@ip-10-20-100-82:/etc/nifi/pki# bash /etc/nifi/nifi-toolkit-1.5.0/bin/tls-toolkit.sh client -c nifi-01 -t mytoken -p 10000
Service client error: null
Usage: tls-toolkit service [-h] [args]
standalone: Creates certificates and config files for nifi cluster.
server: Acts as a Certificate Authority that can be used by clients to get Certificates
client: Generates a private key and gets it signed by the certificate authority.
status: Checks the status of an HTTPS endpoint by making a GET request using a supplied keystore and truststore. Since this is an image of a working node, everything regarding Java, JAVA_HOME, etc is all exactly the same. I verified that this new node can resolve and connect to nifi-01 on port 10000. I used tcpdump to watch for traffic between the 2 when running the toolkit, and there is no traffic generated. Please help! Thanks.
... View more