nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicolas Delsaux <nicolas.dels...@gmx.fr>
Subject Re: My nifi no more serve admin interface
Date Tue, 13 Aug 2019 14:21:52 GMT
oh, sorry, I forgot to mention i use the nifi docker image, with
configuration

services:
nifi-runner:
hostname: nifi-psh.adeo.com
image: apache/nifi:1.9.2
ports:
- "38080:8443"
- "5000:8000"
volumes:
-
${project.basedir}/target/docker-compose/includes/nifi/node/conf:/opt/nifi/nifi-current/conf
-
${project.basedir}/target/docker-compose/includes/nifi/node/cacerts.jks:/opt/certs/cacerts.jks
-
${project.basedir}/target/docker-compose/includes/nifi/node/https_certificates.pkcs:/opt/certs/https_certificates.pkcs

And port 8443 is standard http port, I guess (the port 8000 is the
standard debug one)


Le 13/08/2019 à 16:10, Pierre Villard a écrit :
> Might be a dumb question but I'm wondering why you're trying with port
> 38080? Did you change the configuration to use that specific port with
> a secured instance?
>
> Pierre
>
> Le mar. 13 août 2019 à 16:00, Nicolas Delsaux <nicolas.delsaux@gmx.fr
> <mailto:nicolas.delsaux@gmx.fr>> a écrit :
>
>     To go a little further, a test with openssl s_client gives the
>     following
>
>     nicolas-delsaux@NICOLASDELSAUX C:\Users\nicolas-delsaux
>     $ openssl s_client -host localhost -port 38080
>     CONNECTED(00000164)
>     416:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
>     failure:ssl\record\rec_layer_s3.c:1399:SSL alert number 40
>     ---
>     no peer certificate available
>     ---
>     No client certificate CA names sent
>     ---
>     SSL handshake has read 7 bytes and written 176 bytes
>     Verification: OK
>     ---
>     New, (NONE), Cipher is (NONE)
>     Secure Renegotiation IS NOT supported
>     Compression: NONE
>     Expansion: NONE
>     No ALPN negotiated
>     SSL-Session:
>          Protocol  : TLSv1.2
>          Cipher    : 0000
>          Session-ID:
>          Session-ID-ctx:
>          Master-Key:
>          PSK identity: None
>          PSK identity hint: None
>          SRP username: None
>          Start Time: 1565704262
>          Timeout   : 7200 (sec)
>          Verify return code: 0 (ok)
>          Extended master secret: no
>     ---
>
>
>     Which i weird considering nifi outputs in its startup log the lines
>
>     nifi-runner_1  | 2019-08-13 13:37:52,315 INFO [main]
>     o.e.jetty.server.handler.ContextHandler Started
>     o.e.j.w.WebAppContext@7cb81ae{nifi-error,/,file:///opt/nifi/nifi-current/work/jetty/nifi-web-error-1.9.2.war/webapp/,AVAILABLE}{./work/nar/framework/nifi-framework-nar-1.9.2.nar-unpacked/NAR-INF/bundled-dependencies/nifi-web-error-1.9.2.war}
>     nifi-runner_1  | 2019-08-13 13:37:52,490 INFO [main]
>     o.e.jetty.util.ssl.SslContextFactory
>     x509=X509@3d94d7f3(nifi-psh.adeo.com <http://nifi-psh.adeo.com> (adeo
>     ca),h=[nifi-psh.adeo.com <http://nifi-psh.adeo.com>],w=[]) for
>     SslContextFactory@da1abd6[provider=null,keyStore=file:///opt/certs/https_certificates.pkcs,trustStore=file:///opt/certs/cacerts.jks]
>     nifi-runner_1  | 2019-08-13 13:37:52,510 INFO [main]
>     o.eclipse.jetty.server.AbstractConnector Started
>     ServerConnector@2066f0d3{SSL,[ssl, http/1.1]}{0.0.0.0:8443
>     <http://0.0.0.0:8443>}
>
>
>     which seems to indicate Jetty is able to listen for https
>     connections on
>     port 8443 using certificates described in SslContextFactory. No ?
>
>     Le 13/08/2019 à 15:40, Nicolas Delsaux a écrit :
>     > I'm currently trying to implement ldap user group authorization
>     in nifi.
>     >
>     > For that, I've deployed nifi docker image with configuration files
>     > containing required config elements (a ldap identity provider, a
>     ldap
>     > user group provider).
>     >
>     > I've also configured https with a keystore/truststore that are
>     injected
>     > into docker container through volumes.
>     >
>     > Once all is configured, i've taken the time to do some debug
>     session to
>     > make sure tue FileAccessPolicyProvider correctly loads my user from
>     > ldap, and it works ok.
>     >
>     > Unfortunatly, now, when i try to load Nifi admin interface, I get a
>     > strange http response containing only the string "   � P".
>     >
>     > In other words,
>     >
>     >
>     > nicolas-delsaux@NICOLASDELSAUX C:\Users\nicolas-delsaux
>     > $ curl -v -H "Host: nifi-psh.adeo.com
>     <http://nifi-psh.adeo.com>" http://localhost:38080/ --output -
>     > *   Trying ::1...
>     > * TCP_NODELAY set
>     > * Connected to localhost (::1) port 38080 (#0)
>     > > GET / HTTP/1.1
>     > > Host: nifi-psh.adeo.com <http://nifi-psh.adeo.com>
>     > > User-Agent: curl/7.55.1
>     > > Accept: */*
>     > >
>     > §♥♥ ☻☻P* Connection #0 to host localhost left intact
>     >
>     >
>     > http does not work (which i expects, since I've configured
>     > authentication/authorization
>     >
>     > nicolas-delsaux@NICOLASDELSAUX C:\Users\nicolas-delsaux
>     > $ curl -v -H "Host: nifi-psh.adeo.com
>     <http://nifi-psh.adeo.com>" https://localhost:38080/
>     > --output -
>     > *   Trying ::1...
>     > * TCP_NODELAY set
>     > * Connected to localhost (::1) port 38080 (#0)
>     > * schannel: SSL/TLS connection with localhost port 38080 (step 1/3)
>     > * schannel: checking server certificate revocation
>     > * schannel: sending initial handshake data: sending 174 bytes...
>     > * schannel: sent initial handshake data: sent 174 bytes
>     > * schannel: SSL/TLS connection with localhost port 38080 (step 2/3)
>     > * schannel: encrypted data got 7
>     > * schannel: encrypted data buffer: offset 7 length 4096
>     > * schannel: next InitializeSecurityContext failed:
>     SEC_E_ILLEGAL_MESSAGE
>     > (0x80090326) - This error usually occurs when a fatal SSL/TLS
>     alert is
>     > received (e.g. handshake failed). More detail may be available
>     in the
>     > Windows System event log.
>     > * Closing connection 0
>     > * schannel: shutting down SSL/TLS connection with localhost port
>     38080
>     > * schannel: clear security context handle
>     > curl: (35) schannel: next InitializeSecurityContext failed:
>     > SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs
>     when a
>     > fatal SSL/TLS alert is received (e.g. handshake failed). More
>     detail may
>     > be available in the Windows System event log.
>     >
>     > But neither is https
>     >
>     > I guess there is something wrong with certificate, but the log
>     doesn't
>     > seems to indicate any certificate misconfiguration.
>     >
>     >
>     > What have i done wrong ?
>     >
>     >
>

Mime
View raw message