Hi All, I am implementing TLS for NIFI and we are able to connect to primary node with https and nifi page is displaying cluster with 1/3 status. We observed following errors in nifi-app.log file -
2019-12-23 14:01:47,286 WARN [main] o.a.nifi.controller.StandardFlowService Failed to connect to cluster due to: org.apache.nifi.cluster.protocol.ProtocolException: Failed to create socket to node03:9081 due to: java.net.ConnectException: Connection refused (Connection refused) 2019-12-23 14:01:52,288 INFO [main] o.a.n.c.c.n.LeaderElectionNodeProtocolSender Determined that Cluster Coordinator is located at node03:9081; will use this address for sending heartbeat messages 2019-12-23 14:01:52,367 WARN [main] o.a.nifi.controller.StandardFlowService Failed to connect to cluster due to: org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling 'CONNECTION_REQUEST' protocol message due to: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown 2019-12-23 14:01:57,371 INFO [main] o.a.n.c.c.n.LeaderElectionNodeProtocolSender Determined that Cluster Coordinator is located at node03:9081; will use this address for sending heartbeat messages 2019-12-23 14:01:57,392 WARN [main] o.a.nifi.controller.StandardFlowService Failed to connect to cluster due to: org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling 'CONNECTION_REQUEST' protocol message due to: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown 2019-12-23 14:02:02,395 INFO [main] o.a.n.c.c.n.LeaderElectionNodeProtocolSender Determined that Cluster Coordinator is located at node03:9081; will use this address for sending heartbeat messages 2019-12-23 14:02:02,409 WARN [main] o.a.nifi.controller.StandardFlowService Failed to connect to cluster due to: org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling 'CONNECTION_REQUEST' protocol message due to: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown I have few questions before fixing above errors, please correct if I am doing wrong with below points. Just and update before jumping into my questions : I am using my company signed CA certificate (which varies from server to server) not intermediate CA certificate which is common across organization. 1. When using nifi toolkit there are 2 ways of generating certificates – Standalone mode and Server/client mode. 1. Standalone mode : To generate following files with single command : nifi-cert.pem,nifi-key.key,CN=username_OU=ou.password,CN=username_OU=ou.p12 and xyz directory, where xyz directory again contains - keystore.jks, nifi.properties and truststore.jks : My question here is - Do we need to modify anything in nifi.properties file here ? 2. Server/ client Mode : This is used to make one of the server as certificate approving authority and other nodes as clients. Since we are already using organization signed CA certificate, I am going with Standalone mode. 1. Modified nifi.properties file which is present in nifi conf directory to read new ports after TLS, keystore, truststore and password. 2. Imported our organization rootca and intermediate ca files into both keystore.jks and truststore.jks along with other nodes signed certificates mentioned in point 1. 3. As part of troubleshooting to fix above error, added/imported nifi-cert.pem which is generated by nifi toolkit mentioned in point 2 to other nodes keystore.jks and truststore.jks, even this didn’t fix my errors. 4. Apart from modifying nifi.properties file mentioned in point 3, do we need to any other files? Like - authorizations.xml, authorizers.xml, users.xml etc , if yes – please suggestion on what and how to modify. Please guide me on above mentioned/asked questions or correct me if I am going with wrong assumptions. I tried with my understanding 😊 Thank you in advance for taking your time in answering. Waiting for response. Thanks Krishna ________________________________ ATTENTION: This e-mail may contain confidential information that is intended solely for the addressee. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ________________________________ PRIVACY NOTICE: Your privacy is important for us at ICA Gruppen AB and its subsidiaries (ICA). We are transparent with how we collect and process any personal data that you share with us. More detailed information on how we process your personal data can be found at www.ica.se/dataskydd.
