2

I have an instance of secure Nifi-Registry in docker. I can access its UI, but I can't access it through NiFi instance. after adding the registry url in the registry client section and trying to access its buckets, I see this Error:

Unable to obtain listing of buckets: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 172.17.0.5 found

172.17.0.5 is Nifi-Registry ip address in docker network.

I added a user with full permissions to Nifi-Registry with this DN: CN=localhost, OU=nifi as described in this tutorial: Setting Up a Secure Apache NiFi Registry

This is the command I use to run the container:

docker run --name nifi -v $(pwd):/opt/certs -p 8443:8443 \
-e AUTH=tls \
-e KEYSTORE_PATH=/opt/certs/keystore.jks \
-e KEYSTORE_TYPE=JKS \
-e KEYSTORE_PASSWORD='Ey0btN5duTeyBv1sVuy+1twPpYNgeoox47iwLwSSx5U' \
-e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
-e TRUSTSTORE_PASSWORD='dSjZjfFQDVNG/p6U6ad7n90dZxd2EJK4W18JM02w9BM' \
-e TRUSTSTORE_TYPE=JKS -e INITIAL_ADMIN_IDENTITY='CN=AdminUser, OU=nifi' \
apache/nifi:latest

docker run --name nifi-registry -v $(pwd):/opt/certs -p 18443:18443 \
-e AUTH=tls \
-e KEYSTORE_PATH=/opt/certs/keystore.jks \ 
-e KEYSTORE_TYPE=JKS \ 
-e KEYSTORE_PASSWORD='Ey0btN5duTeyBv1sVuy+1twPpYNgeoox47iwLwSSx5U' \
-e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
-e TRUSTSTORE_PASSWORD='dSjZjfFQDVNG/p6U6ad7n90dZxd2EJK4W18JM02w9BM' \
-e TRUSTSTORE_TYPE=JKS \
-e INITIAL_ADMIN_IDENTITY='CN=AdminUser, OU=nifi' \
apache/nifi-registry:latest

and this is the toolkit command:

./tls-toolkit.sh standalone -n 'localhost' -C 'CN=AdminUser, OU=nifi' -o './target'

How can I access secure registry through a nifi instance?

David Medinets
  • 5,160
  • 3
  • 29
  • 42
Behrouz Seyedi
  • 306
  • 1
  • 18
  • Is NiFi and Registry use the same set of keystore files? – Lamanus Sep 12 '19 at 01:17
  • Are you using docker-compose? Show us the configuration. – DarkLeafyGreen Sep 12 '19 at 06:17
  • I recommend taking a look at this video: [Setting Up a Secure NiFi to Integrate with a Secure NiFi Registry](https://www.youtube.com/watch?v=DSO12fhnZ90). When generating certificates for NiFi and NiFI Registry, take care to set a Subject Alternative Name (SAN) that will match the hostname or IP address that the client (e.g., NiFi) will use to access the server (e.g., NiFi Registry). If both are running in containers on a Docker network, this might be a different hostname than what you use to access these services via port mapping – kevdoran Sep 12 '19 at 11:35
  • yes @Lamanus, they are using the same keystore files. – Behrouz Seyedi Sep 12 '19 at 13:49
  • Thanks @kevdoran for your replay, I ran the toolkit with this command, but I have same problem. `./tls-toolkit.sh standalone -C 'CN=AdminUser, OU=nifi' --subjectAlternativeNames 172.17.0.4,172.17.0.5 -o './target'` in which the ip addresses are belong to nifi and nifi-registry's ip address in docker network. – Behrouz Seyedi Sep 12 '19 at 14:01
  • I'm not using docker compose. @Upvote – Behrouz Seyedi Sep 12 '19 at 14:03
  • 2
    Alternative names and domain name should not be an ip address but hostname. NiFi does not recommend to use the ip based certificate. Try to use any hostname what you set to the server and your local host file also be modified. – Lamanus Sep 12 '19 at 14:20
  • @Lamanus you are right. It works if I run theme on docker-compose and set the registry address in nifi as something like this: `registry.nifi:18443`. Is there any way to access secure nifi registry without domain name? – Behrouz Seyedi Sep 12 '19 at 23:12
  • 1
    AFAIK that is the only way. There may be but I don't know. Sorry. – Lamanus Sep 12 '19 at 23:42

1 Answers1

0

Unable to obtain listing of buckets: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 172.17.0.5 found

Been a while since I used the NiFi TLS Toolkit, but you generated a certificate with the name localhost and are here trying to do a SSL request to the container's IP address. A few things you need to do:

  1. Put both containers on the same network with hostnames that are known to each other. This is really easy to do with Docker Compose by just declaring two containers and adding a link in the registry one that points to the nifi container.
  2. Generate certificates for NiFi and the Registry that use their docker hostnames so like if you call the registry "registry" and can ping it on the Docker network on that hostname, "CN=registry,OU=..." should suffice.
Mike Thomsen
  • 36,828
  • 10
  • 60
  • 83