[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16533589#comment-16533589 ]
Josef Zahner commented on NIFI-5370: ------------------------------------ Hi guys, I'm facing exact the same issue here, I'm coming from NiFi 1.5.0 and just upgraded to 1.7.0. We are using wildcard certificates signed by our internal root CA. The keystore/truststore works fine for LDAP login and in standalone mode. however as soon as I'm enabling clustering I'm getting the message below. *Webgui Message:* {code:java} An unexpected error has occurred javax.net.ssl.SSLPeerUnverifiedException: Hostname i-li-nifi-97.bblab.ch not verified: certificate: sha256/14+aCYShEsw59mYdkVr/nuUIILI8e9tJksJtfNff3H0= DN: CN=Apache NiFi, OU=OL, O=AG, L=nowhere, ST=d, C=CH subjectAltNames: [*.bblab.ch] {code} *nifi-app.log* {code:java} 2018-07-05 12:08:40,705 WARN [Replicate Request Thread-1] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to i-li-nifi-97.bblab.ch:8443 due to javax.net.ssl.SSLPeerUnverifiedException: Hostname i-li-nifi-97.bblab.ch not verified: certificate: sha256/14+aCYShEsw59mYdkVr/nuUIILI8e9tJksJtfNff3H0= DN: CN=Apache NiFi, OU=OL, O=AG, L=nowhere, ST=d, C=CH subjectAltNames: [*.bblab.ch] 2018-07-05 12:08:40,712 WARN [Replicate Request Thread-1] o.a.n.c.c.h.r.ThreadPoolRequestReplicator javax.net.ssl.SSLPeerUnverifiedException: Hostname i-li-nifi-97.bblab.ch not verified: certificate: sha256/14+aCYShEsw59mYdkVr/nuUIILI8e9tJksJtfNff3H0= DN: CN=Apache NiFi, OU=OL, O=AG, L=nowhere, ST=d, C=CH subjectAltNames: [*.bblab.ch] {code} This is a major issue for us. Thanks in advance. > Cluster request replication failing with wildcard certs > ------------------------------------------------------- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework > Affects Versions: 1.7.0 > Reporter: Andy LoPresto > Assignee: Andy LoPresto > Priority: Major > Labels: certificate, cluster, security, tls, wildcard > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > <targetfolder> > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/######################################## > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/######################################## > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)