How to resolve peer unverified exception in a secure nifi cluster?

Question

I set up a secured NiFi cluster with TLS certificates provided by the organisation.On accessing the UI I am getting the error as "javax.net.ssl.SSLPeerUnverifiedException: Hostname abc.com not verified: certificate: sha256/abc/abcabc= DN: CN=abc.com, OU=Abc Operations, O=Abc Corporation Limited, C=SG subjectAltNames: [abc.com]".I have referred the link https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#securing-nifi-with-provided-certificates. Is there anything I missed to enable peer to peer communication while using SSL?

Answer 1

I had same problem and found solution in NiFi TLS-toolkit.

Notion: on my cluster auth worked correctly and problem was only in java verification SSL

Shortly: problem indeed in --subjectAlternativeNames

Generating ssl-keys with own rootCA not worked for me. Good instrunction (but old): https://community.cloudera.com/t5/Community-Articles/How-to-create-user-generated-keys-for-securing-NiFi/ta-p/245551

• CentOS Linux 8
• NiFi 1.14.0
• nifi-toolkit 1.15.2

My way with NiFi TLS-toolkit:

1. Download nifi-toolkit-*.tar.gz to linux machine (let's ip machine is 0.0.0.1, we need it because this VM will be as "certificateAuthorityHostname") link at this page

   sudo wget https://dlcdn.apache.org/nifi/1.15.2/nifi-toolkit-1.15.2-bin.tar.gz

2. Unarchive it

   sudo tar -xvf nifi-toolkit-1.15.2-bin.tar.gz

3. Generate all keys by long command

   • ../security_output - this dir (or any other name) need to be created before run main command (it's useful to store all key-files in one place)
   • sudo ./bin/tls-toolkit.sh standalone -h - this help-command to better understand args
   • OU - equal VM-names in my cluster
   • !!! --subjectAlternativeNames - it's main reason why raise error javax.net.ssl.SSLPeerUnverifiedException: Hostname <ip / dns> not verified
   • -O - this arg overwrite your keys in folder, be careful
   • generaet coomand: sudo ./bin/tls-toolkit.sh standalone --hostnames '0.0.0.1,0.0.0.2,0.0.0.3' -c '0.0.0.1' -C 'CN=0.0.0.1,OU=nifi-prod-cluster-01' -C 'CN=0.0.0.2,OU=nifi-prod-cluster-02' -C 'CN=0.0.0.3,OU=nifi-prod-cluster-03' -O -o ../security_output --subjectAlternativeNames '0.0.0.1,0.0.0.2,0.0.0.3,nifi-prod-cluster-01,nifi-prod-cluster-02,nifi-prod-cluster-03'

4. After generating keys I archive full dir security_output:

   sudo tar -zcvf security_output.tar.gz security_output

5. And copy this tar/dir to other VM of cluster: to 0.0.0.2 and 0.0.0.3 in my example

6. Then we need to move keystore.jks and truststore.jks to nifi/conf/ directory near nifi.properties

7. Edit nifi.properties. Passwords of keys will be in security_output/0.0.0.X/nifi.properties. I replace only this params:

   nifi.security.autoreload.enabled=false
   nifi.security.autoreload.interval=10 secs
   nifi.security.keystore=./conf/keystore.jks
   nifi.security.keystoreType=jks
   nifi.security.keystorePasswd=34dgsOBKdS+9DGHIm849ALK3JaNBdd738ddsgjfghb4J
   nifi.security.keyPasswd=34dgsOBKdS+9DGHIm849ALK3Jaddsgjfghb4J
   nifi.security.truststore=./conf/truststore.jks
   nifi.security.truststoreType=jks
   nifi.security.truststorePasswd=/n1xI9AjcwutNBdd738uOQeQL5O9ALK3i3KwylEYMW5
   nifi.security.user.authorizer=single-user-authorizer
   nifi.security.allow.anonymous.authentication=false
   nifi.security.user.login.identity.provider=single-user-provider
   nifi.security.user.jws.key.rotation.period=PT1H
   nifi.security.ocsp.responder.url=
   nifi.security.ocsp.responder.certificate=
   

8. Restart nifi:

   sudo service nifi restart && tail -f /opt/nifi/logs/nifi-app.log

UPD. Maybe you want to set one password for keys for all machines (it's easier to setup) or set number of days for keys: https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#standalone

Links:

• Usefull link for my guide (but old): https://pierrevillard.com/tag/tls-toolkit/

• This helps me find good idea: https://community.cloudera.com/t5/Community-Articles/Using-the-TLS-Toolkit-to-simplify-security/ta-p/247531