nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adam J. Shook" <>
Subject Re: Clustering configuration error -- HTTPS hostname wrong
Date Mon, 05 Dec 2016 20:54:55 GMT
Thanks for your help, Bryan.  I walked through your guide and was able to
use the new keystore and certs generated by the nifi-toolkit -- which is
great by the way.  Makes it easy for us security n00bs.

I compared the configurations and they were similar; nothing out of the
ordinary.  Must have been something with how the keystore and certs were
originally generated.

I've now got a two node NiFi cluster -- now to update the processor configs
to handle the new node...

Thanks again,

On Mon, Dec 5, 2016 at 12:04 PM, Bryan Bende <> wrote:

> Adam,
> This is definitely interesting that your single node secure setup was
> working fine and now doesn't work when enabling clustering.
> Since you mentioned you weren't opposed to starting over, this post that I
> wrote when 1.0 was released should be fairly up to date:
> 0-0-authorization-and-multi-tenancy
> It uses the NiFi toolkit to generate the certs, which also generates a
> for you. It might interesting to work through that, and
> assuming it works, then compare the working config to the current config to
> see if anything jumps out as being different.
> If you want to keep troubleshooting your current setup, it might be good
> to use keytool to list the contents of your p12 keystore and see if the
> Subject looks correct:
> keytool -list -keystore /export/appl/pkgs/nifi/conf/cert.p12 -storepass
> {password} -storetype PKCS12 -v
> I don't see how it could be wrong  if your single node setup was working,
> but it is worth a shot.
> -Bryan
> On Mon, Dec 5, 2016 at 11:25 AM, Adam J. Shook <>
> wrote:
>> The tihdedg11 URL would be my failed attempt to mask all the hostnames ;)
>>  Oh well.  That'd be
>> The certificates I am using were generated using the below documentation
>> [1] as a guide back on NiFi 0.6 -- but we're using the Kerberos provider
>> and not the LDAP provider.  I've used the same certs from 0.6 to 1.0 and
>> now to 1.1 and I've never had a problem with them.  This is a single-node
>> cluster (for now, soon to be two if I can get it working with one) and it
>> is failing to replicate the request to itself.
>> I'm far from a security buff and don't really know where to begin
>> troubleshooting this.  If there is a more up-to-date guide on how to get
>> security setup, I'd be happy to start over and work through that.  I've
>> tried [2] just now and that also didn't pan out since there is no longer an
>> authorizer-users.xml file (and I can't make a new one since I've already
>> upgraded my old users.xml to the new model).
>> Thank you,
>> --Adam
>> [1]
>> thentication-with-ldap.html
>> [2]
>> nifi-step-by-step.html
>> On Sun, Dec 4, 2016 at 7:57 PM, Andre <> wrote:
>>> Adam,
>>> Is the X509 certificate of reflecting the correct Subject
>>> Name?
>>> Would you know where the URL come from?
>>> Cheers
>>> On Mon, Dec 5, 2016 at 10:34 AM, Adam J. Shook <>
>>> wrote:
>>>> Hello all,
>>>> I am trying to enable clustering on my NiFi instance, starting with the
>>>> original single-node instance which uses Kerberos and HTTPS.  I've been
>>>> following the Clustering Configuration section in the admin guide, and I
>>>> see in the logs that the node takes over as the Coordinator and elects the
>>>> dataflow.  When I try to connect to the UI I receive the below error -- it
>>>> looks like there is no hostname in the GET request when it tries to
>>>> replicate it?  I started up the second node and I see it join the cluster,
>>>> but accessing the UI throws the same erro -- failing to replicate the
>>>> request to both nodes.
>>>> Any ideas?
>>>> Thank you,
>>>> --Adam
>>>> 2016-12-04 23:28:02,105 WARN [Replicate Request Thread-1]
>>>> o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request
>>>> GET /nifi-api/flow/current-user to due
>>>> to {}
>>>> com.sun.jersey.api.client.ClientHandlerException:
>>>> HTTPS hostname wrong:  should be <>

View raw message