I think in general it’s hard for us to know when a bad keystore is provided
until a connection tries to come in because a lot of that is delegated to
Jetty. There was talk previously about a “keystore checker” toolkit feature
which would look at the complete provided configuration for TLS and tr
Hmm, I wonder if there's a change that could be made to expose this error
so its a bit more obvious, maybe one for the Dev mailing list?
Edward
On Wed, Aug 14, 2019 at 3:12 PM Pierre Villard
wrote:
> Glad you sorted it out and thanks for letting us know!
> In case you missed it, you might be in
Glad you sorted it out and thanks for letting us know!
In case you missed it, you might be interested by the NiFi toolkit [1]
containing a TLS toolkit to help you with certificates [2].
[1] https://nifi.apache.org/download.html
[2]
https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#tls
Oh damn
It appeared (after a long search) that my keystore was incorrectly built.
Indeed, it contained the server certificate as a trusted certificate,
where it should had been a key pair (with both private and public keys
in) as is explained in Jetty documentation
(https://www.eclipse.org/jetty
Hi Nicolas,
This is another dump question. As I've only ever seen this before when I've
accidentally connect to a secured Nifi cluster over HTTP and not HTTPS.
>From I've seen Nifi won't ask your browser to do a connection upgrade (HTTP
-> HTTPS),
When you type in the address are you sure your br
oh, sorry, I forgot to mention i use the nifi docker image, with
configuration
services:
nifi-runner:
hostname: nifi-psh.adeo.com
image: apache/nifi:1.9.2
ports:
- "38080:8443"
- "5000:8000"
volumes:
-
${project.basedir}/target/docker-compose/includes/nifi/node/conf:/opt/nifi/nifi-current/conf
-
Might be a dumb question but I'm wondering why you're trying with port
38080? Did you change the configuration to use that specific port with a
secured instance?
Pierre
Le mar. 13 août 2019 à 16:00, Nicolas Delsaux a
écrit :
> To go a little further, a test with openssl s_client gives the follo
To go a little further, a test with openssl s_client gives the following
nicolas-delsaux@NICOLASDELSAUX C:\Users\nicolas-delsaux
$ openssl s_client -host localhost -port 38080
CONNECTED(0164)
416:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
failure:ssl\record\rec_layer_s3
I'm currently trying to implement ldap user group authorization in nifi.
For that, I've deployed nifi docker image with configuration files
containing required config elements (a ldap identity provider, a ldap
user group provider).
I've also configured https with a keystore/truststore that are i