Hi Phil, Sorry to hear you are having this problem. I have a couple steps you can try to resolve this.
First, to clarify the terminology for NiFi, a “client certificate” refers to a
public certificate and private key which in combination allow a client to
uniquely identify itself and authenticate on a mutual authentication TLS
connection. In NiFi terminology, the client certificate identifies a user or
service which connects to NiFi. The “server certificate” identifies the NiFi
service, and the CA is what signs one (or both) of those certificates.
The “no cipher suites in common” error can occur when there are legitimately no
cipher suites that both the client and server support. This can be verified by
using the OpenSSL s_client tool to make a connection from the client to the
server. I’ve pasted a sample invocation below.
$ openssl s_client -connect <host:port> -debug -state -cert
<path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile
<path_to_your_CA_cert.pem>
However, that error can also appear when the keystore does not contain a valid
private key to be used. I suspect the keystore you generated for NiFi does not
have the private key. You can verify this by examining the nifi1.crt file you
imported. If you run `$ more nifi1.crt`, you should see a line “-----BEGIN
PRIVATE KEY-----“ and then some Base64-encoded output. If you do not see this,
you have only the public certificate in the file. Importing that into a
keystore means that NiFi (or any other service using that keystore) will not be
able to sign or decrypt any information encrypted with the public key, so it
won’t be able to support any cipher suites that rely on RSA encryption or
signatures.
The nifi1.crt you imported into the keystore may also not have the complete
certificate chain encoded, in which case when the server presents that
certificate on an incoming connection, the client (command-line or browser)
won’t be able to verify and trust it. You’ll get a different error, but it is
something to be aware of.
Is there a reason you chose to use a PKCS12 keystore in this scenario? Usually
we recommend using JKS for both the keystore and the truststore.
I hope this helps. If none of this resolves your issues, please let us know and
we can continue to help.
Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On May 4, 2018, at 4:03 AM, Phil H <gippyp...@gmail.com> wrote:
>
> Hi all,
>
> I am trying to secure my NiFi installation. I have a client certificate
> (nifi1.crt) and the CA for the intranet (ca.crt). I created the trust and
> keystores as below:
>
> keytool -import -trustcacerts -alias nifi1 -file nifi1.crt -keystore
> server_keystore.p12 -storetype PKCS12
>
> keytool -import -file ca.crt -alias cacert -keystore truststore.jks
>
> And the relevant nifi.properties are set as follows
>
> nifi.security.keystore=./conf/server_keystore.p12
> nifi.security.keystoreType=PKCS12
> nifi.security.keystorePasswd=<Password>
> nifi.security.keyPasswd=<Password>
> nifi.security.truststore=./conf/truststore.jks
> nifi.security.truststoreType=JKS
> nifi.security.truststorePasswd=<Password>
>
> When I try and access the site via https, I receive the above error in
> Firefox, and the following in the nifi-bootstrap.log (I have enabled
> additional debugging).
>
> Using both of these certificates inside Apache httpd works on the client as
> expected, so the certificates are fine. I have seen some references to
> bugs/features in Jetty under Java 1.8 related to older TLS versions, but
> I'm at a loss to explain this! Help!!
>
> Thanks,
> Phil
>
> 2018-05-04 20:57:17,406 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Using SSLEngineImpl.
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Allow unsafe renegotiation: false
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Allow legacy hello messages: true
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Is initial handshake: true
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Is secure renegotiation: false
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
> TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
> TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
> for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for
> TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for
> TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for
> TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
> for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 for
> TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 for
> TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 for
> TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
> for TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 for
> TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for
> TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 for
> TLSv1
> 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> for TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> for TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
> for TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> for TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> for TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> for TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
> for TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> for TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
> for TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 for
> TLSv1.1
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> NiFi Web Server-20, READ: TLSv1 Handshake, length = 171
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> *** ClientHello, TLSv1.2
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> RandomCookie: GMT: 1840697519 bytes = { 105, 139, 207, 1, 25, 185, 102,
> 192, 232, 71, 128, 61, 66, 104, 220, 248, 126, 53, 133, 115, 216, 129, 238,
> 15, 202, 164, 110, 9 }
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Session ID: {}
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa9,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa8,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Compression Methods: { 0 }
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Extension server_name, server_name: [type=host_name (0), value=nifi1]
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Extension extended_master_secret
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Extension renegotiation_info, renegotiated_connection: <empty>
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Extension elliptic_curves, curve names: {unknown curve 29, secp256r1,
> secp384r1, secp521r1}
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Extension ec_point_formats, formats: [uncompressed]
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Unsupported extension type_35, data:
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Unsupported extension type_16, data:
> 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Unsupported extension status_request, data: 01:00:00:00:00
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> Extension signature_algorithms, signature_algorithms: SHA256withECDSA,
> SHA384withECDSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA,
> SHA512withRSA, SHA1withECDSA, SHA1withRSA
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> ***
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> %% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL]
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> NiFi Web Server-20, fatal error: 40: no cipher suites in common
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> %% Invalidated: [Session-4, SSL_NULL_WITH_NULL_NULL]
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> NiFi Web Server-20, SEND TLSv1.2 ALERT: fatal, description =
> handshake_failure
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> NiFi Web Server-20, WRITE: TLSv1.2 Alert, length = 2
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> NiFi Web Server-20, fatal: engine already closed. Rethrowing
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> NiFi Web Server-20, called closeOutbound()
> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
> NiFi Web Server-20, closeOutboundInternal()
signature.asc
Description: Message signed with OpenPGP using GPGMail
