I saw this in the release notes...specifically that wildcard certs are not supported. How do most people handle this in practice? We can run a cert server or get them from other means (AWS cert manager, etc) but am not sure how to overcome the authorizers.xml issue -- would we need to have a provisioning script register each new server certificate with NiFi before it can actually do anything useful? Will new servers then have issues joining because their authorizers will not match the rest of the cluster?
On Thu, Jul 5, 2018 at 8:04 AM, Pierre Villard <pierre.villard...@gmail.com> wrote: > Hi Josef, > > I don't have a solution for you but it seems it has already been reported > and a JIRA has been opened: > https://issues.apache.org/jira/browse/NIFI-5370 > > Andy might be able to give more insights about it. > > Pierre > > 2018-07-05 13:19 GMT+02:00 Josefz <josef.zahn...@swisscom.com>: > > > Hi expert > > > > I've just done an upgrade from NiFi 1.5.0 to 1.7.0 in a SSL secured > cluster > > with LDAP authentication. Now I'm not anymore able to login into the > > webgui. > > After I have entered the login/password I'm getting the following > message: > > > > > > > > And nifi-app.log reports the following error messages: > > > > > > > > I'm having a wildcard SSL certificate and I'm using the same > > keystore/truststore combination for three usecases: > > - for cluster connectivity (in nifi.properties) > > - in "authorizer.xml" > > - in "login-identity-providers.xml". > > > > The keystore.jks (private/public) keypair has been signed by our internal > > root CA and the root CA cert has been imported into the truststore.jks. > As > > the ldap login works with certificates I'm more or less sure that the > certs > > in general are fine. Has anybody an idea if wildcard CN and SAN names > > should > > work in a cluster or where the problem could be? I've tried the same > certs > > as well in standalone mode, no issue at all. > > > > The following parameters in nifi.properties are enabled: > > nifi.security.needClientAuth=true > > nifi.cluster.protocol.is.secure=true > > > > Thanks in advance > > > > > > > > > > -- > > Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/ > > >
