stackoom
  简体   繁体   中英

Securing NIFI with SSL Comodo Cert

 原文  2019-07-12 02:34:21       ssl/ openssl/ apache-nifi

Question

I'm trying to secure our NIFI environment with SSL. I'm gettin the following error: 

This site can’t provide a secure connection <I.P> uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I got a Comodo certificate that i requested at my org and got it approved. I have a .key as well which was generated during CSR. I imported the comodo cert into the keystore. Then, I imported both the comodo root cert and .key into truststore. NIFI version is 1.9.2

nifi.properties: 

nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=mypassword
nifi.security.keyPasswd=
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=mypassword
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

last few lines of the logs: 

2019-07-12 02:29:55,877 INFO [main] o.eclipse.jetty.server.AbstractConnector Started ServerConnector@45e97963{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
2019-07-12 02:29:55,877 INFO [main] org.eclipse.jetty.server.Server Started @28943ms
2019-07-12 02:29:55,906 INFO [main] org.apache.nifi.nar.NarAutoLoader Starting NAR Auto-Loader for directory ./extensions ...
2019-07-12 02:29:55,907 INFO [main] org.apache.nifi.nar.NarAutoLoader NAR Auto-Loader started
2019-07-12 02:29:55,907 INFO [main] org.apache.nifi.web.server.JettyServer NiFi has started. The UI is available at the following URLs:
2019-07-12 02:29:55,907 INFO [main] org.apache.nifi.web.server.JettyServer https://<I.P>:8443/nifi
2019-07-12 02:29:55,907 INFO [main] org.apache.nifi.web.server.JettyServer https://127.0.0.1:8443/nifi
2019-07-12 02:29:55,909 INFO [main] org.apache.nifi.BootstrapListener Successfully initiated communication with Bootstrap
2019-07-12 02:29:55,909 INFO [main] org.apache.nifi.NiFi Controller initialization took 19369037824 nanoseconds (19 seconds).

1 answers

solution1
 0  2019-07-12 17:29:01

Can you show the output of using the OpenSSL s_client tool to connect to the host? I'm assuming <IP> is a manual substitution for the actual host IP? Using this version of NiFi, the certificate must have valid SubjectAlternativeName entries for the hostname(s) and IP address(es) you wish to access the service using.

You also want to ensure that the keystore contains the public certificate and private key . The truststore should contain the public certificate and any CA certificates used to sign it (depending on your threshold for desired specificity on accepting incoming certificates for client certificate authentication).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to support Comodo SSL cert in loopj on Android? Comodo SSL: ERR_CERT_AUTHORITY_INVALID on Chrome mobile and Opera mobile (Android) How do I install my Comodo SSL cert in Google Compute Engine? OpenShift with Comodo SSL Heroku Comodo SSL and it not working? HAProxy Comodo SSL COMODO SSL certificate on Jboss7 Comodo wildcard ssl certificate and Haproxy COMODO SSL Certificate on apache CentOS SSL Certificate Cannot Be Trusted (COMODO)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM