@Tom Burton Sorry for the delay. Using NSS will require some changes. Use a PKCS12 instead of PEM cert types with an extension of p12. This should alleviate some issues. In that case you should still be able to have a key password. This is a restriction in some of the CURL code. Tom thank you for your patience. I recognize that as a user worrying about NSS vs CURL is something you don't want to concern yourself with so we're exploring two options and will provide both as an option to users: 1) We'd like to create system packages. In this case an RPM that will include all that is necessary to run with curl w/ OpenSSL 2) Package an uber binary with statically linked OpenSSL. This will result in a larger binary but include the necessary dependencies. Either option would help alleviate your pain points because you won't be having to worry about bootstrapping clients. With CENTOS 7 you will need to manually download curl and build it with OpenSSL. That is not ideal, hence why I think we'll push to get options one and two out the door as soon as possible. Option two is likely more forthcoming as the developer has made great strides, so when that is available we can avoid having to use NSS because the system doesn't come with curl w/ OpenSSL. If you are willing to join in another test I hope we make things a little easier as I'm sure worrying about P12 vs PEM for the variants of CURL is an unnecessary burden. Thanks again for helping so much with CENTOS 7. Your efforts will definitely be the key that makes that distribution easier to deploy. ... View more

@Tom Burton What error are you seeing in the log files? Can you pass along the minifi-log file? That will help me debug. Try disabling host verification as I suspect that could be the issue, but cannot verify without the log file. nifi.security.client.disable.host.verification=true Feel free to join https://apache.hipchat.com/chat if you would like to chat. ... View more

@Tom Burton I've submitted https://github.com/apache/nifi-minifi-cpp/pull/285 That PR will detect if OpenSSL support does not exist for libcurl and if it does not will use NSS. I've tested this on Centos 7. ... View more

@Tom Burton We won't make assumptions. We'll maintain backwards compatibility, so we'll detect if libcurl w/ openssl is installed on the build system. If that is not desired and you do not with for us to manually install libcurl w/ openssl support we'll rely on other methods for security and then you can distribute that binary amongst your systems. In short we will need to adjust our build process to account for systems where libcurl is built without openssl support. I think that's a reasonable ask from us and something we should be able to quickly do. ... View more

@Tom Burton I will modify the bootstrap to identify this and install libcurl-openssl from source and investigate using NSS when OpenSSL isn't present. The former is an easy setup change, the latter will exist and be used when that setup change isn't possible. I will have a resolution for both soon. ... View more

@Tom Burton I pulled up a clean Centos 7 VM with security profiles enabled and ran into the same issues. I noticed that the system's curl is not built with OpenSSL and instead is using NSS, which we are not using. Did you use the bootstrap? I will begin checking all distros to ensure that we perform the download and install of libcurl-openssl when the default impl does not contain OpenSSL. Thanks for helping identify this. ... View more

@Tom Burton Thanks for the info. I'll investigate with that profile and make any changes that are needed in the PR, above. Thanks! ... View more

In addition to the above response, on my prior response I mentioned that I was getting a domain error after adding my cert to the CA bundle and using the above fix but re-issues my cert so that the domain matched the certificate. ... View more

@Tom Burton Sorry for the delay. I responded but duplicated my response and upon deleting it must have deleted both. Yesterday I submitted https://github.com/apache/nifi-minifi-cpp/pull/276 I tested this on CENTOS 7 . I first was able to get it working by adding my nifi-cert to the ca-cert bundle in /etc/ssl ; however, I recognize that not everyone wants to do this, so I created the above pull request for review. This approach may not be correct in all cases, so I may update the PR to give users an option to use the system defined CA bundle ( my preference in certain deployments); however, if you have the chance to test it you may be able to get around not having to disable peer verification and updating the system's CA bundle ( that is curl's default CAFile/CAPath). ... View more

Tom, https://github.com/apache/nifi-minifi-cpp/blob/master/conf/minifi.properties is the repo properties. Is this different than what you've been using? You noted that it was nifi.https.* for those properties, so I'd be happy to fix the repo of origin. The error we see: [2018-03-11 21:09:04.071] [org::apache::nifi::minifi::utils::HTTPClient] [error] curl_easy_perform() failed Peer certificate cannot be authenticated with given CA certificates indicates that we have a cert chain validation issue. For testing purposes you can take the options from https/github.com/phrocker/nifi-minifi-cpp#sitetosite-security-configuration . You probably only need to disable peer verification. I wouldn't advise running this in production but can get you beyond the immediate issue for further testing. nifi.security.client.disable.host.verification=true nifi.security.client.disable.peer.verification=true On CENTOS you may need to perform the following procedures to get it working in : sudo yum install ca-certificates sudo update-ca-trust enable sudo cp /path/to/your_new_cert.crt /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust extract I've taken this from : https://stackoverflow.com/questions/14682894/getting-error-in-curl-peer-certificate-cannot-be-authenticated-with-known-ca-c Are you using the toolkit to generate these certificates? I'll see if I can arrive at the same issue and if we can create a more user friendly way to get around it. ... View more