[
https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16533589#comment-16533589
]
Josef Zahner commented on NIFI-5370:
------------------------------------
Hi guys,
I'm facing exact the same issue here, I'm coming from NiFi 1.5.0 and just
upgraded to 1.7.0. We are using wildcard certificates signed by our internal
root CA. The keystore/truststore works fine for LDAP login and in standalone
mode. however as soon as I'm enabling clustering I'm getting the message below.
*Webgui Message:*
{code:java}
An unexpected error has occurred
javax.net.ssl.SSLPeerUnverifiedException: Hostname i-li-nifi-97.bblab.ch not
verified: certificate: sha256/14+aCYShEsw59mYdkVr/nuUIILI8e9tJksJtfNff3H0= DN:
CN=Apache NiFi, OU=OL, O=AG, L=nowhere, ST=d, C=CH subjectAltNames: [*.bblab.ch]
{code}
*nifi-app.log*
{code:java}
2018-07-05 12:08:40,705 WARN [Replicate Request Thread-1]
o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET
/nifi-api/flow/current-user to i-li-nifi-97.bblab.ch:8443 due to
javax.net.ssl.SSLPeerUnverifiedException: Hostname i-li-nifi-97.bblab.ch not
verified:
certificate: sha256/14+aCYShEsw59mYdkVr/nuUIILI8e9tJksJtfNff3H0=
DN: CN=Apache NiFi, OU=OL, O=AG, L=nowhere, ST=d, C=CH
subjectAltNames: [*.bblab.ch]
2018-07-05 12:08:40,712 WARN [Replicate Request Thread-1]
o.a.n.c.c.h.r.ThreadPoolRequestReplicator
javax.net.ssl.SSLPeerUnverifiedException: Hostname i-li-nifi-97.bblab.ch not
verified:
certificate: sha256/14+aCYShEsw59mYdkVr/nuUIILI8e9tJksJtfNff3H0=
DN: CN=Apache NiFi, OU=OL, O=AG, L=nowhere, ST=d, C=CH
subjectAltNames: [*.bblab.ch]
{code}
This is a major issue for us. Thanks in advance.
> Cluster request replication failing with wildcard certs
> -------------------------------------------------------
>
> Key: NIFI-5370
> URL: https://issues.apache.org/jira/browse/NIFI-5370
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.7.0
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Major
> Labels: certificate, cluster, security, tls, wildcard
>
> From the users mailing list:
> {quote}
> Team,
>
> NiFi secured cluster throws below error with wildcarded self-signed
> standalone certificate. Just a brief background, we are deploying nifi in
> Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it
> was working fine.
> Also I tried bringing up NiFi in linux VM in secured cluster mode with
> wildcarded certs, I am getting same error.
>
> Toolkit command to generate certs:
> bin/tls-toolkit.sh standalone -n
> '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o
> <targetfolder>
>
> Logs:
> 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1]
> o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET
> /nifi-api/flow/current-user to
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to
> javax.net.ssl.SSLPeerUnverifiedException: Hostname
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:
> certificate: sha256/########################################
> DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI
> subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]
> 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1]
> o.a.n.c.c.h.r.ThreadPoolRequestReplicator
> javax.net.ssl.SSLPeerUnverifiedException: Hostname
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:
> certificate: sha256/########################################
> DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI
> subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]
> at
> okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316)
>
> Please help me in resolving this.
>
> Note: Same certificates is working for single mode setup.
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
