From dev-return-16419-archive-asf-public=cust-asf.ponee.io@nifi.apache.org Fri Feb 9 23:50:00 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 41D30180654 for ; Fri, 9 Feb 2018 23:50:00 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 31746160C4C; Fri, 9 Feb 2018 22:50:00 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 76E98160C3C for ; Fri, 9 Feb 2018 23:49:59 +0100 (CET) Received: (qmail 22543 invoked by uid 500); 9 Feb 2018 22:49:58 -0000 Mailing-List: contact dev-help@nifi.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@nifi.apache.org Delivered-To: mailing list dev@nifi.apache.org Received: (qmail 22528 invoked by uid 99); 9 Feb 2018 22:49:58 -0000 Received: from mail-relay.apache.org (HELO mailrelay1-lw-us.apache.org) (207.244.88.152) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Feb 2018 22:49:58 +0000 Received: from mail-pl0-f50.google.com (mail-pl0-f50.google.com [209.85.160.50]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 14A1B2959 for ; Fri, 9 Feb 2018 22:49:56 +0000 (UTC) Received: by mail-pl0-f50.google.com with SMTP id 11so2112879plc.9 for ; Fri, 09 Feb 2018 14:49:56 -0800 (PST) X-Gm-Message-State: APf1xPAeuS7CiXJ2AdghDCtSXOWiECFi3GmbNaidP/GXS6HBymoKI/zG Rw5vyLPssGve+aG8UN4qu7UH0EgPo8xVBQWS8vg= X-Google-Smtp-Source: AH8x224YJdH/qVp2aRQ+tCqT2aREMiZuYp+kFZ2gf5fwXRBNKEFdFP4eTwuWakzkscxsMvHMC3g/dFEgqKUkyZRi5f4= X-Received: by 2002:a17:902:8304:: with SMTP id bd4-v6mr3954900plb.123.1518216595286; Fri, 09 Feb 2018 14:49:55 -0800 (PST) MIME-Version: 1.0 Received: by 10.100.149.79 with HTTP; Fri, 9 Feb 2018 14:49:34 -0800 (PST) In-Reply-To: References: From: Marc Date: Fri, 9 Feb 2018 17:49:34 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Trouble with setting up SSL connecting MiNiFi to NiFi To: dev@nifi.apache.org Content-Type: multipart/alternative; boundary="000000000000dab0fb0564cf5880" --000000000000dab0fb0564cf5880 Content-Type: text/plain; charset="UTF-8" Jonah, Sorry for the double reply. https://issues.apache.org/jira/browse/MINIFICPP-396 is the ticket corresponding to that PR. It may address your issue depending no whether or not you are currently using the Context service to configure the RPG. It may also address another issue preventing proper setup, but the CA trust issue is likely not addressed with the PR I sent a few minutes ago. Thanks, Marc On Fri, Feb 9, 2018 at 5:44 PM, Marc wrote: > Jonah, > > There is a pull request to address some of the configuration of these > objects since there were two routes to configure it ( Context Service and > minifi.properties ) : https://github.com/apache/nifi-minifi-cpp/pull/263 > ; however, > I'm not sure this is your issues since the curl_easy_perform implies > that the peer certificate cannot be authenticated -- "Peer certificate > cannot be authenticated with given CA certificates" > > Are you setting an SSL context service? Does the CA certificate path > contain the entire trust chain? > > Thanks, > Marc > > On Fri, Feb 9, 2018 at 5:20 PM, Jonah Husson > wrote: > >> Hey All, >> >> Figured I'd shoot off an email before looking into issue reporting, in >> case >> this is a product of my own stupidity rather than an actual bug. >> >> I'm trying to get MiNiFi communicating with a NiFi cluster on an internal >> network running with SSL. I'm able to connect to NiFi from a web browser >> after importing the correct certificates, but attempting to actually >> transfer a file with minifi produces the following result: >> >> [2018-02-09 15:45:55.136] [main] [info] MiNiFi started >> [2018-02-09 15:45:57.923] [org::apache::nifi::minifi::pr >> ocessors::GetFile] >> [info] GetFile process >> /home/jonah/optimus/data/dynamic/ready_logs/testcopy2.txt >> [2018-02-09 15:45:58.339] [org::apache::nifi::minifi::utils::HTTPClient] >> [debug] Setting callback for >> [2018-02-09 15:45:58.401] [org::apache::nifi::minifi::co >> re::ProcessSession] >> [info] Transferring 3b086abc-0dda-11e8-ab09-c85b769e9522 from GetFile to >> relationship success >> [2018-02-09 15:45:58.438] >> [org::apache::nifi::minifi::RemoteProcessorGroupPort] [debug] Refreshing >> the peer list since there are none configured. >> [2018-02-09 15:45:58.439] [org::apache::nifi::minifi::utils::HTTPClient] >> [debug] https://rs0.internal.optimusride.com:9093/nifi-api/site-to-site >> is >> a secure url >> [2018-02-09 15:45:58.439] [org::apache::nifi::minifi::utils::HTTPClient] >> [debug] Submitting to >> https://rs0.internal.optimusride.com:9093/nifi-api/site-to-site >> [2018-02-09 15:45:58.553] [org::apache::nifi::minifi::utils::HTTPClient] >> [error] curl_easy_perform() failed Peer certificate cannot be >> authenticated >> with given CA certificates >> >> [2018-02-09 15:45:58.553] >> [org::apache::nifi::minifi::RemoteProcessorGroupPort] [error] >> ProcessGroup::refreshRemoteSite2SiteInfo -- curl_easy_perform() failed >> >> [2018-02-09 15:45:58.553] >> [org::apache::nifi::minifi::RemoteProcessorGroupPort] [debug] Obtained >> protocol from available_protocols_ >> [2018-02-09 15:45:58.553] >> [org::apache::nifi::minifi::RemoteProcessorGroupPort] [info] no protocol, >> yielding >> [2018-02-09 15:46:01.541] [org::apache::nifi::minifi::utils::HTTPClient] >> [debug] Setting callback for >> [2018-02-09 15:46:02.701] [org::apache::nifi::minifi::FlowController] >> [info] Stop Flow Controller >> [2018-02-09 15:46:04.748] [org::apache::nifi::minifi::utils::HTTPClient] >> [debug] Setting callback for >> [2018-02-09 15:46:05.137] [org::apache::nifi::minifi::FlowController] >> [info] Unload Flow Controller >> [2018-02-09 15:46:05.137] [main] [info] MiNiFi exit >> >> I'm not entirely sure what I'm doing wrong here, I'm fairly sure my >> certificate setup is fine. NiFi's keystore has a cert/private key signed >> by a CA i self-signed and created locally, it's truststore has the public >> key that corresponds to the client certificate and private key on MiNiFi, >> and MiNiFi has the certificate used to sign the one in NiFi's keystore. >> >> The best guess I have stems from the fact that the log message is a >> secure url occurs, but the message that configure_secure_connection(CURL >> *http_session) should play if it runs doesn't come up, which leads me to >> beleive that ssl_context_service_ isn't initialized properly for some >> reason (see line 129 in /extensions/http-curl/HTTPClient.cpp, only place >> I >> see either of those methods called). >> >> Let me know if you have any insight on this, frankly I haven't found much >> documentation on the SSL setup for MiNiFi at all, so it's totally possible >> I did something horribly wrong there. I'd also be happy to make a bug >> report if y'all think this warrants one. >> >> Best, >> Jonah. >> > > --000000000000dab0fb0564cf5880--