Return-Path: <dev-return-14027-archive-asf-public=cust-asf.ponee.io@nifi.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id D450D200C6C
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri, 21 Apr 2017 02:38:42 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id D25EF160BB0; Fri, 21 Apr 2017 00:38:42 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id F27CB160B9F
	for <archive-asf-public@cust-asf.ponee.io>; Fri, 21 Apr 2017 02:38:41 +0200 (CEST)
Received: (qmail 20928 invoked by uid 500); 21 Apr 2017 00:38:41 -0000
Mailing-List: contact dev-help@nifi.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@nifi.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@nifi.apache.org>
List-Post: <mailto:dev@nifi.apache.org>
List-Id: <dev.nifi.apache.org>
Reply-To: dev@nifi.apache.org
Delivered-To: mailing list dev@nifi.apache.org
Received: (qmail 20916 invoked by uid 99); 21 Apr 2017 00:38:40 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Apr 2017 00:38:40 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 5F94C1A5798
	for <dev@nifi.apache.org>; Fri, 21 Apr 2017 00:38:40 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 3.542
X-Spam-Level: ***
X-Spam-Status: No, score=3.542 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HTML_MESSAGE=2, HTML_OBFUSCATE_10_20=1.162,
	RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01,
	RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001,
	WEIRD_PORT=0.001] autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (1024-bit key) header.d=fucs.org
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id Q5VzYaoNDM7Q for <dev@nifi.apache.org>;
	Fri, 21 Apr 2017 00:38:38 +0000 (UTC)
Received: from mail-lf0-f49.google.com (mail-lf0-f49.google.com [209.85.215.49])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 6AEE95F39D
	for <dev@nifi.apache.org>; Fri, 21 Apr 2017 00:38:37 +0000 (UTC)
Received: by mail-lf0-f49.google.com with SMTP id t144so37302104lff.1
        for <dev@nifi.apache.org>; Thu, 20 Apr 2017 17:38:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=fucs.org; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=vp4BAdoT+fI8B4QMCVljxSIwNZmkwKXI5JNeLzUQqnE=;
        b=fWXaeB8MOOlb1ra+pvvvgYLWDvhAS78S2+v+SDx7oZVxitB6R0GehQNQ2YYX+7xiVQ
         XacCWLiePJ607zeHm8nhYrpNBurPAhJTUILTMLoNrEyfrQG0jD/l9fz6HZk66Riqx3Lf
         x8x+3AxBdoOsw5sJ39R+pye2ycIKgfddnsqqI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=vp4BAdoT+fI8B4QMCVljxSIwNZmkwKXI5JNeLzUQqnE=;
        b=akSRz+uP4E3C26YJi1VGeC2W+/ZUoLPtJBP6YmSeDfx6cD/B8KYyHg2ttuAIWCJBWF
         6iIKOb1vBeC3VR7c3GAI8DDR6+9iotYioX66/FpDhAm/og3sXMyRK1R/M3SJx7H+/S3M
         aB2XK09nX3yKH77khuhHRWOmchxs9MuwgEkX5Y2vDraKXM9a5n1+CpXc30WgX22ebaLa
         PoloZOdi2jSk2hDuqSCCJ/Zfj/D5hweyU/dbptUZo5QPUmvk1bHnm6WIXVecwfRf4tmg
         Q2ZKDfjAj7mqaUbqeXVanPS04cJy8j5DayMWklERztK6RpPfwxWPxHbVcJXyna4ZVHUf
         gFVw==
X-Gm-Message-State: AN3rC/48l4OfcjOM2csoUHERXaKietgXA5R+G+Aik9IL5mFqVDvo/tO6
	wM7Qw1klO3FFayUZXSM=
X-Received: by 10.46.7.2 with SMTP id 2mr2840478ljh.120.1492735116482;
        Thu, 20 Apr 2017 17:38:36 -0700 (PDT)
Received: from mail-lf0-f47.google.com (mail-lf0-f47.google.com. [209.85.215.47])
        by smtp.gmail.com with ESMTPSA id g136sm1308422lfg.1.2017.04.20.17.38.36
        for <dev@nifi.apache.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 20 Apr 2017 17:38:36 -0700 (PDT)
Received: by mail-lf0-f47.google.com with SMTP id c80so37206549lfh.3
        for <dev@nifi.apache.org>; Thu, 20 Apr 2017 17:38:36 -0700 (PDT)
X-Received: by 10.46.1.225 with SMTP id f94mr3866947lji.73.1492735116038; Thu,
 20 Apr 2017 17:38:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.46.80.83 with HTTP; Thu, 20 Apr 2017 17:38:35 -0700 (PDT)
X-Originating-IP: [101.164.140.51]
In-Reply-To: <CAE6vh=LSzaXtd_-TnYqvq-XXWYCuD98nFnpGnC9ZU+b5K7=dvw@mail.gmail.com>
References: <CAE6vh=LSzaXtd_-TnYqvq-XXWYCuD98nFnpGnC9ZU+b5K7=dvw@mail.gmail.com>
From: Andre <andre-lists@fucs.org>
Date: Fri, 21 Apr 2017 10:38:35 +1000
X-Gmail-Original-Message-ID: <CAJpGy9K6b8mHKEUpWzaL=x1qQztVOegtE2nH-6kRdg1R17Kpog@mail.gmail.com>
Message-ID: <CAJpGy9K6b8mHKEUpWzaL=x1qQztVOegtE2nH-6kRdg1R17Kpog@mail.gmail.com>
Subject: Re: NiFi Cluster on Docker (Kubernetes) - HTTPS issues
To: dev@nifi.apache.org
Content-Type: multipart/alternative; boundary=001a1142a94455ea0b054da27a42
archived-at: Fri, 21 Apr 2017 00:38:43 -0000

--001a1142a94455ea0b054da27a42
Content-Type: text/plain; charset=UTF-8

Johny,

Tell me more... tell me more... have you ensure the cluster cross
communication has been set to https?

I remember seeing something like that in the summer days when I partially
setup the cluster nodes to use TLS (forgetting to do the whole job).

Can you confirm the settings for:

nifi.cluster.protocol.is.secure
nifi.remote.input.secure
nifi.web.https.port

Can you also confirm you are using wildcard certificates (or alternate
subject names) and the following are set to the correct hostnames?

nifi.web.https.host
nifi.remote.input.host

Also, can you confirm the cluster is effectively up and running? Do you see
mentions to heartbeat being made in nifi-app.log?

Cheers


On 20 Apr 2017 23:20, "Johny Travolta" <ster.efx@gmail.com> wrote:

> Hey guys,
>
> Thanks for a great product. However , to set NiFi in fully automatic way is
> a bit tricky.
> For sure the tricky part is authentication to NiFi Cluster itself (why You
> guys forced 1st user authentication with certificate? That's a huge issue
> here :) )
>
> Basically, I have created a Docker image , and I can deploy NiFi Cluster in
> automated way.
> However, we need authentication , so we must use HTTPS.
> Now, I am thinking that the problem is that all my instances are created
> the same way (from same docker image ), with same Root certificate and same
> keys...
>
> My user can login succesfully to NiFi via HTTPS, however what I see after
> is the error message below. I am not able to do anything after this:
>
>
> I know that my certificate is good, because I can login (If I will go to
> /login page) this message is visible:
>
>
> And the logs says :
>
> <nabble_embed> at
> org.apache.nifi.cluster.coordination.http.replication.Thread
> PoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestR
> eplicator.java:802)
> ~[nifi-framework-clust er-1.2.0-SNAPSHOT.jar:1.2.0-SNAPSHOT] at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> [na:1.8.0_121] at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> [na:1.8.0_121] at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
> Executor.java:1142)
> [na:1.8.0_121] at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
> lExecutor.java:617)
> [na:1.8.0_121] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_121]
> Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext
> connection? at
> sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:710)
> ~[na:1.8.0_121] at sun.security.ssl.InputRecord.read(InputRecord.java:527)
> ~[na:1.8.0_121] at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
> ~[na:1.8.0_121] at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo
> cketImpl.java:1375)
> ~[na:1.8.0_121] at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
> ~[na:1.8.0_121] at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
> ~[na:1.8.0_121] at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
> ~[na:1.8.0_121] at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnectio
> n.connect(AbstractDelegateHttpsURLConnection.java:185)
> ~[na:1.8.0_121] at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
> HttpURLConnection.java:1546)
> ~[na:1.8.0_121] at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(H
> ttpURLConnection.java:1474)
> ~[na:1.8.0_121] at
> java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
> ~[na:1.8.0_121] at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getRespons
> eCode(HttpsURLConnectionImpl.java:338)
> ~[na:1.8.0_121] at
> com.sun.jersey.client.urlconnection.URLConnectionClientHandl
> er._invoke(URLConnectionClientHandler.java:253)
> ~[jersey-client-1.19.jar:1.19] at
> com.sun.jersey.client.urlconnection.URLConnectionClientHandl
> er.handle(URLConnectionClientHandler.java:153)
> ~[jersey-client-1.19.jar:1.19] ... 12 common frames omitted</nabble_embed>
>
> Thanks if You can give me a right direction to fix this!
>

--001a1142a94455ea0b054da27a42--