nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adam J. Shook" <adamjsh...@gmail.com>
Subject Re: Clustering configuration error -- HTTPS hostname wrong
Date Mon, 05 Dec 2016 20:54:55 GMT
Thanks for your help, Bryan.  I walked through your guide and was able to
use the new keystore and certs generated by the nifi-toolkit -- which is
great by the way.  Makes it easy for us security n00bs.

I compared the configurations and they were similar; nothing out of the
ordinary.  Must have been something with how the keystore and certs were
originally generated.

I've now got a two node NiFi cluster -- now to update the processor configs
to handle the new node...

Thanks again,
--Adam

On Mon, Dec 5, 2016 at 12:04 PM, Bryan Bende <bbende@gmail.com> wrote:

> Adam,
>
> This is definitely interesting that your single node secure setup was
> working fine and now doesn't work when enabling clustering.
>
> Since you mentioned you weren't opposed to starting over, this post that I
> wrote when 1.0 was released should be fairly up to date:
> http://bryanbende.com/development/2016/08/17/apache-nifi-1-
> 0-0-authorization-and-multi-tenancy
>
> It uses the NiFi toolkit to generate the certs, which also generates a
> nifi.properties for you. It might interesting to work through that, and
> assuming it works, then compare the working config to the current config to
> see if anything jumps out as being different.
>
> If you want to keep troubleshooting your current setup, it might be good
> to use keytool to list the contents of your p12 keystore and see if the
> Subject looks correct:
>
> keytool -list -keystore /export/appl/pkgs/nifi/conf/cert.p12 -storepass
> {password} -storetype PKCS12 -v
>
> I don't see how it could be wrong  if your single node setup was working,
> but it is worth a shot.
>
> -Bryan
>
> On Mon, Dec 5, 2016 at 11:25 AM, Adam J. Shook <adamjshook@gmail.com>
> wrote:
>
>> The tihdedg11 URL would be my failed attempt to mask all the hostnames ;)
>>  Oh well.  That'd be host1.foo.com.
>>
>> The certificates I am using were generated using the below documentation
>> [1] as a guide back on NiFi 0.6 -- but we're using the Kerberos provider
>> and not the LDAP provider.  I've used the same certs from 0.6 to 1.0 and
>> now to 1.1 and I've never had a problem with them.  This is a single-node
>> cluster (for now, soon to be two if I can get it working with one) and it
>> is failing to replicate the request to itself.
>>
>> I'm far from a security buff and don't really know where to begin
>> troubleshooting this.  If there is a more up-to-date guide on how to get
>> security setup, I'd be happy to start over and work through that.  I've
>> tried [2] just now and that also didn't pan out since there is no longer an
>> authorizer-users.xml file (and I can't make a new one since I've already
>> upgraded my old users.xml to the new model).
>>
>> Thank you,
>> --Adam
>>
>> [1] https://community.hortonworks.com/articles/7341/nifi-user-au
>> thentication-with-ldap.html
>> [2] https://community.hortonworks.com/articles/886/securing-
>> nifi-step-by-step.html
>>
>> On Sun, Dec 4, 2016 at 7:57 PM, Andre <andre-lists@fucs.org> wrote:
>>
>>> Adam,
>>>
>>> Is the X509 certificate of host1.foo.com reflecting the correct Subject
>>> Name?
>>>
>>> Would you know where the URL tihdedg11.troweprice.com:8080 come from?
>>>
>>> Cheers
>>>
>>> On Mon, Dec 5, 2016 at 10:34 AM, Adam J. Shook <adamjshook@gmail.com>
>>> wrote:
>>>
>>>> Hello all,
>>>>
>>>> I am trying to enable clustering on my NiFi instance, starting with the
>>>> original single-node instance which uses Kerberos and HTTPS.  I've been
>>>> following the Clustering Configuration section in the admin guide, and I
>>>> see in the logs that the node takes over as the Coordinator and elects the
>>>> dataflow.  When I try to connect to the UI I receive the below error -- it
>>>> looks like there is no hostname in the GET request when it tries to
>>>> replicate it?  I started up the second node and I see it join the cluster,
>>>> but accessing the UI throws the same erro -- failing to replicate the
>>>> request to both nodes.
>>>>
>>>> Any ideas?
>>>>
>>>> Thank you,
>>>> --Adam
>>>>
>>>>
>>>> 2016-12-04 23:28:02,105 WARN [Replicate Request Thread-1]
>>>> o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request
>>>> GET /nifi-api/flow/current-user to tihdedg11.troweprice.com:8080 due
>>>> to {}
>>>> com.sun.jersey.api.client.ClientHandlerException: java.io.IOException:
>>>> HTTPS hostname wrong:  should be <host1.foo.com>
>>>>
>>>>
>>
>

Mime
View raw message