I am trying to understand, If I can setup a multiple node SSL Cluster with a Certificate signed by my organization without the need of adding each node as a SAN to the certificate. Coz we keep adding nodes to the cluster, and I want to avoid asking for a updated Certificate with a new node added to SAN. Currently I am setting the following properties in nifi.properties as the fqdn or the ip nifi.web.https.host=10.38.140.239
nifi.cluster.node.address=10.38.140.239
nifi.remote.input.host=10.38.140.239 And setting the proxy host with the cname nifi.web.proxy.host=ssl_cert_cname.foo.com:8443 And inside my authorizers.xml, I am adding the cname as the initial node/user identity <userGroupProvider>
...
<property name="Initial User Identity 4">CN=ssl_cert_cname.foo.com, OU=nifi, O=Unknown, L=Unknown, ST=Unknown, C=Unknown</property>
</userGroupProvider> <accessPolicyProvider>
...
<property name="Node Identity 3">CN=ssl_cert_cname.foo.com, OU=nifi, O=Unknown, L=Unknown, ST=Unknown, C=Unknown</property>
</accessPolicyProvider> Currently I am adding the <ip> of all the nodes in the cluster, to the cert's SAN to make it work. Responses will be appreciated.Thanks
... View more
