Facing issue in Site to Site Https Communication

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Facing issue in Site to Site Https Communication

Nishant Gupta
Hi Team,

I am trying to make site to site communication between 2 standalone nifi
instances.
I am getting below error

2017-11-12 23:44:41,304 WARN [Remote Process Group
b1265abf-015f-1000-632e-e7939fbad38f: https://X.X.X.X:9443/nifi Thread-1]
o.a.n.remote.StandardRemoteProcessGroup Unable to connect to
RemoteProcessGroup[https://X.X.X.X:9443/nifi] due to
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: Path does not chain with any
of the trust anchors.

I have generated the certificate using below command and imported in
browser.:

sudo bash ./tls-toolkit.sh standalone -n 'server-1,server-2' -C 'CN=demo,
OU=nifi' -O -o ../security_output

I am not able to figure out any solution on google.

Can you please help me out.

Thanks and Regards,
Nishant Gupta
Reply | Threaded
Open this post in threaded view
|

Re: Facing issue in Site to Site Https Communication

Pierre Villard
Hi,

Based on your error message, the problem is most likely with your
truststore configuration. What did you configure for HTTPS in your
nifi.properties configuration file?

Pierre


Le 12 nov. 2017 19:38, "Nishant Gupta" <[hidden email]> a
écrit :

Hi Team,

I am trying to make site to site communication between 2 standalone nifi
instances.
I am getting below error

2017-11-12 23:44:41,304 WARN [Remote Process Group
b1265abf-015f-1000-632e-e7939fbad38f: https://X.X.X.X:9443/nifi Thread-1]
o.a.n.remote.StandardRemoteProcessGroup Unable to connect to
RemoteProcessGroup[https://X.X.X.X:9443/nifi] due to
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: Path does not chain with any
of the trust anchors.

I have generated the certificate using below command and imported in
browser.:

sudo bash ./tls-toolkit.sh standalone -n 'server-1,server-2' -C 'CN=demo,
OU=nifi' -O -o ../security_output

I am not able to figure out any solution on google.

Can you please help me out.

Thanks and Regards,
Nishant Gupta
yi
Reply | Threaded
Open this post in threaded view
|

Re: Facing issue in Site to Site Https Communication

yi
Hi there,

sticking my nose in as I have the same issue!

slightly different to Nishant, but here's my settings:

On the RPG instance side

# Site to Site properties
nifi.remote.input.host=
nifi.remote.input.secure=true
nifi.remote.input.socket.port=8899
nifi.remote.input.http.enabled=true
nifi.remote.input.http.transaction.ttl=30 sec

# web properties #
nifi.web.war.directory=./lib
nifi.web.http.host=
nifi.web.http.port=
nifi.web.http.network.interface.default=
nifi.web.https.host=localhost
nifi.web.https.port=8443
nifi.web.https.network.interface.default=
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200

On the "server" side
# Site to Site properties
nifi.remote.input.host=<server instance public IP>
nifi.remote.input.secure=true
nifi.remote.input.socket.port=8899
nifi.remote.input.http.enabled=false
nifi.remote.input.http.transaction.ttl=30 sec

# web properties #
nifi.web.war.directory=./lib
nifi.web.http.host=
nifi.web.http.port=
nifi.web.http.network.interface.default=
nifi.web.https.host=
nifi.web.https.port=8443
nifi.web.https.network.interface.default=
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200


----

Any guidance is appreciated!

Thank you



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Facing issue in Site to Site Https Communication

Koji Kawamura-2
Hi,

If tls-toolkit was used to generate certificates, then there should be
server-1 and server-2 directories created and each contains
keystore.jks and truststore.jks.

```
sudo bash ./tls-toolkit.sh standalone -n 'server-1,server-2' -C 'CN=demo,
OU=nifi' -O -o ../security_output
```

Please check following configurations in nifi.properties file to see
if the generated keystore and truststore are specified correctly:

nifi.security.keystore
nifi.security.keystoreType
nifi.security.keystorePasswd
nifi.security.keyPasswd
nifi.security.truststore
nifi.security.truststoreType
nifi.security.truststorePasswd

Thanks,
Koji

On Thu, Feb 22, 2018 at 4:13 PM, yi <[hidden email]> wrote:

> Hi there,
>
> sticking my nose in as I have the same issue!
>
> slightly different to Nishant, but here's my settings:
>
> On the RPG instance side
>
> # Site to Site properties
> nifi.remote.input.host=
> nifi.remote.input.secure=true
> nifi.remote.input.socket.port=8899
> nifi.remote.input.http.enabled=true
> nifi.remote.input.http.transaction.ttl=30 sec
>
> # web properties #
> nifi.web.war.directory=./lib
> nifi.web.http.host=
> nifi.web.http.port=
> nifi.web.http.network.interface.default=
> nifi.web.https.host=localhost
> nifi.web.https.port=8443
> nifi.web.https.network.interface.default=
> nifi.web.jetty.working.directory=./work/jetty
> nifi.web.jetty.threads=200
>
> On the "server" side
> # Site to Site properties
> nifi.remote.input.host=<server instance public IP>
> nifi.remote.input.secure=true
> nifi.remote.input.socket.port=8899
> nifi.remote.input.http.enabled=false
> nifi.remote.input.http.transaction.ttl=30 sec
>
> # web properties #
> nifi.web.war.directory=./lib
> nifi.web.http.host=
> nifi.web.http.port=
> nifi.web.http.network.interface.default=
> nifi.web.https.host=
> nifi.web.https.port=8443
> nifi.web.https.network.interface.default=
> nifi.web.jetty.working.directory=./work/jetty
> nifi.web.jetty.threads=200
>
>
> ----
>
> Any guidance is appreciated!
>
> Thank you
>
>
>
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
yi
Reply | Threaded
Open this post in threaded view
|

Re: Facing issue in Site to Site Https Communication

yi
Hi Koji,

Thanks for the very quick response.

The toolkit does generate a nifi.properties file for each of the servers.

I've modified it slightly for things like port numbers, but the
keystore/truststore settings I am pretty confident about, as I have had
success with accessing the nifi UI. I imported the .p12 certificates that
the toolkit produced to my browser.

RPG side:

nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=<ks password generated by toolkit>
nifi.security.keyPasswd=<key password generated by toolkit>
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=<ts password generated by toolkit>
nifi.security.needClientAuth=
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

"server" side:

nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=<different ks password generated by toolkit>
nifi.security.keyPasswd=<different key password generated by toolkit>
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=<different ts password generated by toolkit>
nifi.security.needClientAuth=
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

Thank you



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
yi
Reply | Threaded
Open this post in threaded view
|

Re: Facing issue in Site to Site Https Communication

yi
Apologies, I should clarify that I still do not have communication working
site to site. Please assist. Thank you.



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Facing issue in Site to Site Https Communication

Koji Kawamura-2
Hi,

A common mistake with tls-toolkit is generating keystore and
truststore for each node using DIFFERENT NiFi CA Cert.
If tls-toolkit standalone is executed against different output
directories, it may produce different NiFi CA in each directory.

Please check both of s2s client and server truststores have the same
NiFi CA Cert.
To do so, use keytool command:
keytool -list -keystore truststore.jks
nifi-cert, Feb 9, 2018, trustedCertEntry,
Certificate fingerprint (SHA1):
FE:0D:FE:0D:72:40:0A:7E:49:45:1B:78:D9:F5:F4:6E:A2:3C:92:E5

If that's not the case, then I'd recommend adding
-Djavax.net.debug=all Java option to debug further.
You can add Java options from ${NIFI_HOME}/conf/bootstrap.conf.
https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html

Thanks,
Koji

On Fri, Feb 23, 2018 at 9:01 AM, yi <[hidden email]> wrote:
> Apologies, I should clarify that I still do not have communication working
> site to site. Please assist. Thank you.
>
>
>
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/