HTTP ERROR 400 Invalid SNI when deploying Nifi on docker

Question

I'm trying to install Apache Nifi 2+ version on my CentOS 7 Server on a Docker container. I created the truststore.p12 and keystore.p12 (I tried also JKS truststore), and I also extract the cert from the keystone, but I always end up with HTTP ERROR 400 Invalid SNI once accessing the https://<my-ip-address>:8445/nifi (I'm using 8445 port because the other ports are occupied)

I've followed the answer here but it also didn't work. I'm creating the files and storing them in /opt/certs/ (they are valid, I've checked). After that, I run docker using the following command (as written here)

  docker run --name nifi \
  -v /opt/certs:/opt/certs \
  -p 8445:8445 \
  -e NIFI_WEB_HTTPS_PORT=8445 \
  -e NIFI_WEB_HTTPS_HOST=0.0.0.0 \ (I tried to bind it to a specific IP address also)
  -e KEYSTORE_PATH=/opt/certs/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD=<changeit> \
  -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
  -e TRUSTSTORE_PASSWORD=<changeit> \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=<changeit>, OU=<changeit>, O=<changeit>, L=<changeit>, ST=<changeit>, C=<changeit>' \
  -e NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER=single-user-provider \
  -e NIFI_SECURITY_NEED_CLIENT_AUTH=false \
  -d \
  apache/nifi:2.1.0

But I always end up with the same error HTTP ERROR 400 Invalid SNI. I checked the logs, it doesn't seem that it has related errors. Note: I've already deployed a Nifi instance on the same server but without Docker, I've followed the same steps.

Any guidance on how to move forward is appreciated!

Answer 1

The issue was that the environment variables I'm setting in the docker run command aren't reflected in the nifi.properties file in the container. So I edited the Dockerfile as follows:

Also, instead of mounting the key and trust store from the local system, I'm creating self-signed stores in the Dockerfile.

The sed -i will overwrite the properties in the nifi.properties file

ENV NIFI_HOME=/opt/nifi/nifi-current
ENV CERTS_DIR=/opt/nifi/certs
ENV NIFI_WEB_HTTPS_PORT=8445
ENV NIFI_WEB_HTTPS_HOST=0.0.0.0
ENV NIFI_WEB_PROXY_HOST=0.0.0.0
ENV KEYSTORE_PASS=<changeit>
ENV TRUSTSTORE_PASS=<changeit>
ENV KEYSTORE_PATH=${CERTS_DIR}/keystore.jks
ENV TRUSTSTORE_PATH=${CERTS_DIR}/truststore.jks
ENV KEYSTORE_TYPE=JKS
ENV TRUSTSTORE_TYPE=JKS
ENV NIFI_USERNAME=<changeit>
ENV NIFI_PASSWORD=<changeit>

# Create the certs directory if not exists
RUN mkdir -p ${CERTS_DIR}

# Generate the Keystore
RUN keytool -genkeypair -alias nifi-key \
    -keyalg RSA -keysize 2048 -validity 36500 \
    -keystore ${CERTS_DIR}/keystore.jks -storepass ${KEYSTORE_PASS} \
    -dname "CN=, OU=, O=, L=, ST=, C= \
    -ext SAN=dns:nifi.local,IP:<my-ip-address>

# Export the certificate from the keystore in X.509 format
RUN keytool -export -alias nifi-key -file ${CERTS_DIR}/nifi-cert.cer -keystore ${KEYSTORE_PATH} -storepass ${KEYSTORE_PASS} && ls -l ${CERTS_DIR}/nifi-cert.cer

# Generate the Truststore and import the exported certificate
RUN keytool -import -trustcacerts -alias nifi-cert -file ${CERTS_DIR}/nifi-cert.cer -keystore ${TRUSTSTORE_PATH} -storepass ${TRUSTSTORE_PASS} -noprompt

# Set NiFi user credentials using nifi.sh set-single-user-credentials
RUN ./bin/nifi.sh set-single-user-credentials ${NIFI_USERNAME} ${NIFI_PASSWORD}

RUN sed -i \
    -e "s|^nifi.security.keystore=.*|nifi.security.keystore=${KEYSTORE_PATH}|" \
    -e "s|^nifi.security.keystoreType=.*|nifi.security.keystoreType=${KEYSTORE_TYPE}|" \
    -e "s|^nifi.security.keystorePasswd=.*|nifi.security.keystorePasswd=${KEYSTORE_PASS}|" \
    -e "s|^nifi.security.truststore=.*|nifi.security.truststore=${TRUSTSTORE_PATH}|" \
    -e "s|^nifi.security.truststoreType=.*|nifi.security.truststoreType=${TRUSTSTORE_TYPE}|" \
    -e "s|^nifi.security.truststorePasswd=.*|nifi.security.truststorePasswd=${TRUSTSTORE_PASS}|" \
    /opt/nifi/nifi-current/conf/nifi.properties

After than I can simple run build the image and run the docker container

docker build -t test-nifi ./ <the location of your Dockerfile>

docker run -d --name nifi -p 8445:8445 test-nifi