Hi Nicolas, This is another dump question. As I've only ever seen this before when I've accidentally connect to a secured Nifi cluster over HTTP and not HTTPS. >From I've seen Nifi won't ask your browser to do a connection upgrade (HTTP -> HTTPS),
When you type in the address are you sure your browser is not cutting of the *s* from the *https* in the URL you entering? Edward On Tue, Aug 13, 2019 at 3:22 PM Nicolas Delsaux <nicolas.dels...@gmx.fr> wrote: > oh, sorry, I forgot to mention i use the nifi docker image, with > configuration > services: > nifi-runner: > hostname: nifi-psh.adeo.com > image: apache/nifi:1.9.2 > ports: > - "38080:8443" > - "5000:8000" > volumes: > - > ${project.basedir}/target/docker-compose/includes/nifi/node/conf:/opt/nifi/nifi-current/conf > - > ${project.basedir}/target/docker-compose/includes/nifi/node/cacerts.jks:/opt/certs/cacerts.jks > - > ${project.basedir}/target/docker-compose/includes/nifi/node/https_certificates.pkcs:/opt/certs/https_certificates.pkcs > > And port 8443 is standard http port, I guess (the port 8000 is the > standard debug one) > > > Le 13/08/2019 à 16:10, Pierre Villard a écrit : > > Might be a dumb question but I'm wondering why you're trying with port > 38080? Did you change the configuration to use that specific port with a > secured instance? > > Pierre > > Le mar. 13 août 2019 à 16:00, Nicolas Delsaux <nicolas.dels...@gmx.fr> a > écrit : > >> To go a little further, a test with openssl s_client gives the following >> >> nicolas-delsaux@NICOLASDELSAUX C:\Users\nicolas-delsaux >> $ openssl s_client -host localhost -port 38080 >> CONNECTED(00000164) >> 416:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake >> failure:ssl\record\rec_layer_s3.c:1399:SSL alert number 40 >> --- >> no peer certificate available >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 7 bytes and written 176 bytes >> Verification: OK >> --- >> New, (NONE), Cipher is (NONE) >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> SSL-Session: >> Protocol : TLSv1.2 >> Cipher : 0000 >> Session-ID: >> Session-ID-ctx: >> Master-Key: >> PSK identity: None >> PSK identity hint: None >> SRP username: None >> Start Time: 1565704262 >> Timeout : 7200 (sec) >> Verify return code: 0 (ok) >> Extended master secret: no >> --- >> >> >> Which i weird considering nifi outputs in its startup log the lines >> >> nifi-runner_1 | 2019-08-13 13:37:52,315 INFO [main] >> o.e.jetty.server.handler.ContextHandler Started >> o.e.j.w.WebAppContext@7cb81ae{nifi-error,/, >> file:///opt/nifi/nifi-current/work/jetty/nifi-web-error-1.9.2.war/webapp/,AVAILABLE >> }{./work/nar/framework/nifi-framework-nar-1.9.2.nar-unpacked/NAR-INF/bundled-dependencies/nifi-web-error-1.9.2.war} >> nifi-runner_1 | 2019-08-13 13:37:52,490 INFO [main] >> o.e.jetty.util.ssl.SslContextFactory >> x509=X509@3d94d7f3(nifi-psh.adeo.com (adeo >> ca),h=[nifi-psh.adeo.com],w=[]) for >> SslContextFactory@da1abd6[provider=null,keyStore= >> file:///opt/certs/https_certificates.pkcs,trustStore=file:///opt/certs/cacerts.jks >> ] >> nifi-runner_1 | 2019-08-13 13:37:52,510 INFO [main] >> o.eclipse.jetty.server.AbstractConnector Started >> ServerConnector@2066f0d3{SSL,[ssl, http/1.1]}{0.0.0.0:8443} >> >> >> which seems to indicate Jetty is able to listen for https connections on >> port 8443 using certificates described in SslContextFactory. No ? >> >> Le 13/08/2019 à 15:40, Nicolas Delsaux a écrit : >> > I'm currently trying to implement ldap user group authorization in nifi. >> > >> > For that, I've deployed nifi docker image with configuration files >> > containing required config elements (a ldap identity provider, a ldap >> > user group provider). >> > >> > I've also configured https with a keystore/truststore that are injected >> > into docker container through volumes. >> > >> > Once all is configured, i've taken the time to do some debug session to >> > make sure tue FileAccessPolicyProvider correctly loads my user from >> > ldap, and it works ok. >> > >> > Unfortunatly, now, when i try to load Nifi admin interface, I get a >> > strange http response containing only the string " � P". >> > >> > In other words, >> > >> > >> > nicolas-delsaux@NICOLASDELSAUX C:\Users\nicolas-delsaux >> > $ curl -v -H "Host: nifi-psh.adeo.com" http://localhost:38080/ >> --output - >> > * Trying ::1... >> > * TCP_NODELAY set >> > * Connected to localhost (::1) port 38080 (#0) >> > > GET / HTTP/1.1 >> > > Host: nifi-psh.adeo.com >> > > User-Agent: curl/7.55.1 >> > > Accept: */* >> > > >> > §♥♥ ☻☻P* Connection #0 to host localhost left intact >> > >> > >> > http does not work (which i expects, since I've configured >> > authentication/authorization >> > >> > nicolas-delsaux@NICOLASDELSAUX C:\Users\nicolas-delsaux >> > $ curl -v -H "Host: nifi-psh.adeo.com" https://localhost:38080/ >> > --output - >> > * Trying ::1... >> > * TCP_NODELAY set >> > * Connected to localhost (::1) port 38080 (#0) >> > * schannel: SSL/TLS connection with localhost port 38080 (step 1/3) >> > * schannel: checking server certificate revocation >> > * schannel: sending initial handshake data: sending 174 bytes... >> > * schannel: sent initial handshake data: sent 174 bytes >> > * schannel: SSL/TLS connection with localhost port 38080 (step 2/3) >> > * schannel: encrypted data got 7 >> > * schannel: encrypted data buffer: offset 7 length 4096 >> > * schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE >> > (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is >> > received (e.g. handshake failed). More detail may be available in the >> > Windows System event log. >> > * Closing connection 0 >> > * schannel: shutting down SSL/TLS connection with localhost port 38080 >> > * schannel: clear security context handle >> > curl: (35) schannel: next InitializeSecurityContext failed: >> > SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a >> > fatal SSL/TLS alert is received (e.g. handshake failed). More detail may >> > be available in the Windows System event log. >> > >> > But neither is https >> > >> > I guess there is something wrong with certificate, but the log doesn't >> > seems to indicate any certificate misconfiguration. >> > >> > >> > What have i done wrong ? >> > >> > >> >