I have installed and configured NiFi 2.0 with TLS. My nifi 2.0 instance
appears to start without errors, judging by the contents of nifi-app.log.
When I try to access my nifi instance through its https setting in
nifi.properties, I get this error in my browser:
This site can’t provide a secure connection
ec2-44-219-227-80.compute-1.amazonaws.com didn’t accept your login
certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT
Normally I would expect to be prompted to select admin's login cert from
the list of trusted certs. But I am not getting prompted - it just throws
the error.
I had employed tinycert.org to generate my cacert.pem, my server cert and
private key, and a client cert and private key for my admin user.
This is how I brought the server private key and cert into my keystore:
openssl pkcs12 -export -out keystore.p12 -inkey ec2-44-219-227-80-key.pem
-in ec2-44-219-227-80.pem -certfile cacert.pem
This is how I imported my cacert into the nifi truststore with java keytool:
keytool -import -alias "CACert" -file cacert.pem -keystore truststore.jks
-storepass <truststore password>
This is how I converted my client cert and key, which I then added to my
browser cert store:
openssl pkcs12 -export -out admin.p12 -inkey admin-key.pem -in admin.pem
-certfile cacert.pem
I have configured the cacert in my nifi truststore.jks. I have the server
cert and private key in my keystore.p12. (I had read that jks for one and
p12 for the other is not an issue).
I have installed the cert and private key for user admin in my Chrome
browser. I also installed the cacert.pem CA in my browser trusted root
store.
Here are my keystore, truststore, and https params in nifi.properties:
nifi.web.https.host=ec2-44-219-227-80.compute-1.amazonaws.com
nifi.web.https.port=8443
...
nifi.security.keystore=/opt/nifi/config_resources/keys/keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=<.....>
nifi.security.keyPasswd=<.....>
nifi.security.truststore=/opt/nifi/config_resources/keys/truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=<truststore pwd>
My authorizers.xml file is configured like this:
<?xml version='1.0' encoding='UTF-8'?>
<authorizers>
<!-- -->
<!-- <userGroupProvider/> -->
<!-- -->
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users
File">/opt/nifi/config_resources/users.xml</property>
<property name="Initial User Identity 1">CN=admin, OU=NIFI</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Initial Admin Identity">CN=admin, OU=NIFI</property>
<property name="Authorizations
File">/opt/nifi/config_resources/authorizations.xml</property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy
Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
My Security Group on my ec2 instance has a rule to permit 8443 for my IP
address.
What have I overlooked? Thanks in advance for any help.
