Reputation: 642
NiFi https setup giving certificate error
I am facing weird issue. this may very well not just be nifi(1.9.2) issue, but some other factor.
the steps i am trying to do is not new, i have done this on multiple boxes (i have 10 boxes, running with similar setup)
1) OS - unix 2) DNS is internal 3) https certificate is not self-signed, they are CA signed.
certificate generation process.
1) i generate csr on unix command line
openssl genrsa -out key.file 2048
openssl req -sha256 -new -key key.file -out out.csr
2) then i shared CSR file with 3rd party, and they got me certificate chain.
this above mentioned process was followed with all my previous setups (10 boxes). never faced this issue.
now i am facing this weird issue. (attached screenshot).
this message is very deceptive, as per internet search, nifi is rejecting my certificate/identity. but why is my identity? what certificate my connection must be presenting to nifi? and are we suppose to add everyone who is trying to come to nifi to be in nifi's trust store?
I have not face this issue with any of my previous setups :( , so cant put my finger on what must be going on.
this is not just chrome issue, i am getting similar error on all 4 big browsers.
Upvotes: 1
Views: 4451
Answers (2)
Reputation: 548
Rakesh,
I would check these things as well:
- Your browser should contain a client certificate signed by the same CA the NiFi server certificate was signed by. The browser will prompt which certificate to use when you visit the NiFi UI.
- The CA public certificate should be added to NiFi's trust store. This will allow NiFi server to trust the client certificate in your browser.
- Your client certificate DN needs to be added to the authorizers.xml file as an Initial Admin, and you need to remove users.xml and authorizations.xml and restart NiFi.
Upvotes: 1
Reputation: 14194
NiFi is telling your browser that you must present a client certificate in order to authenticate to the system. This is likely because you have not configured any other authentication mechanism (LDAP, Kerberos, OpenID Connect, etc.). You can read more about these authentication mechanisms in the Apache NiFi Admin Guide.
NiFi can only be configured for username/password, OpenId Connect, or Apache Knox at a given time. It does not support running each of these concurrently. NiFi will require client certificates for authenticating users over HTTPS if none of these are configured.
If you do not want to configure any of these other mechanisms, you can still authenticate using a client certificate. In order for your certificate to be accepted, it must be signed by (or be) a certificate whose public key is loaded as a trustedCertEntry in the NiFi truststore. The NiFi Toolkit Guide may help with the explicit commands you need in order to configure this.
If this isn't sufficient to solve your problem, you'll need to share more information, including your nifi.properties file (redact the sensitive values like keystore/truststore password), the output of keytool -list -v -keystore /path/to/truststore.jks, and the output of keytool -list -v -keystore /path/to/client.p12 -storetype PKCS12.
Upvotes: 2
Related Questions
- how can I solve Apache nifi openssl error?
- NiFi: Configuring SSLContext, Truststore or Keystore Certification
- NiFi ListenHTTP processor: Uses an unsupported protocol
- Apache NiFi TLS failed to start
- Generating self-signed certificates for NiFi over HTTPS
- how to configure apache nifi on https
- SSL certificate error while securing nifi with ranger
- NIFI(SECURE):SSLPeerUndefinedException:Hsotname
- SSL Handshake exception in nifi
- SSL with Apache Nifi not working