Hi James, I would suggest you try to debug this using the openssl s_client command, something like this:
openssl s_client -connect <hostname>:<port> -debug -cert client.pem -key clientkey.pem -CAfile rootcert.pem This should give you a lot of details, including information from the server that specifies which CAs it will accept for client certs. Regards, Isha Van: James McMahon <jsmcmah...@gmail.com> Verzonden: vrijdag 19 april 2024 01:17 Aan: users <users@nifi.apache.org> Onderwerp: Re: Unable to securely connect to NiFi 2.0 instance I started from scratch. Got nifi to start, no errors at all in my nifi-app.log. Configured the client certs in my Chrome browser, also added cacert.pem to my Root Trusted CAs. Tried to hit https://ec2-44-219-227-80.compute-1.amazonaws.com:8443/nifi , continue to get rejected with this message from the browser: This site can’t provide a secure connectionec2-44-219-227-80.compute-1.amazonaws.com<http://connectionec2-44-219-227-80.compute-1.amazonaws.com/> didn’t accept your login certificate, or one may not have been provided. Try contacting the system admin. ERR_BAD_SSL_CLIENT_AUTH_CERT I never get prompted to select a client cert. Anyone have any thoughts - fixing, debugging, anything? On Wed, Apr 17, 2024 at 8:44 PM James McMahon <jsmcmah...@gmail.com<mailto:jsmcmah...@gmail.com>> wrote: I have installed and configured NiFi 2.0 with TLS. My nifi 2.0 instance appears to start without errors, judging by the contents of nifi-app.log. When I try to access my nifi instance through its https setting in nifi.properties, I get this error in my browser: This site can’t provide a secure connection ec2-44-219-227-80.compute-1.amazonaws.com<http://ec2-44-219-227-80.compute-1.amazonaws.com/> didn’t accept your login certificate, or one may not have been provided. Try contacting the system admin. ERR_BAD_SSL_CLIENT_AUTH_CERT Normally I would expect to be prompted to select admin's login cert from the list of trusted certs. But I am not getting prompted - it just throws the error. I had employed tinycert.org<http://tinycert.org/> to generate my cacert.pem, my server cert and private key, and a client cert and private key for my admin user. This is how I brought the server private key and cert into my keystore: openssl pkcs12 -export -out keystore.p12 -inkey ec2-44-219-227-80-key.pem -in ec2-44-219-227-80.pem -certfile cacert.pem This is how I imported my cacert into the nifi truststore with java keytool: keytool -import -alias "CACert" -file cacert.pem -keystore truststore.jks -storepass <truststore password> This is how I converted my client cert and key, which I then added to my browser cert store: openssl pkcs12 -export -out admin.p12 -inkey admin-key.pem -in admin.pem -certfile cacert.pem I have configured the cacert in my nifi truststore.jks. I have the server cert and private key in my keystore.p12. (I had read that jks for one and p12 for the other is not an issue). I have installed the cert and private key for user admin in my Chrome browser. I also installed the cacert.pem CA in my browser trusted root store. Here are my keystore, truststore, and https params in nifi.properties: nifi.web.https.host=ec2-44-219-227-80.compute-1.amazonaws.com<http://ec2-44-219-227-80.compute-1.amazonaws.com/> nifi.web.https.port=8443 ... nifi.security.keystore=/opt/nifi/config_resources/keys/keystore.p12 nifi.security.keystoreType=PKCS12 nifi.security.keystorePasswd=<.....> nifi.security.keyPasswd=<.....> nifi.security.truststore=/opt/nifi/config_resources/keys/truststore.jks nifi.security.truststoreType=JKS nifi.security.truststorePasswd=<truststore pwd> My authorizers.xml file is configured like this: <?xml version='1.0' encoding='UTF-8'?> <authorizers> <!-- --> <!-- <userGroupProvider/> --> <!-- --> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">/opt/nifi/config_resources/users.xml</property> <property name="Initial User Identity 1">CN=admin, OU=NIFI</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Initial Admin Identity">CN=admin, OU=NIFI</property> <property name="Authorizations File">/opt/nifi/config_resources/authorizations.xml</property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers> My Security Group on my ec2 instance has a rule to permit 8443 for my IP address. What have I overlooked? Thanks in advance for any help.
