From dev-return-17857-archive-asf-public=cust-asf.ponee.io@nifi.apache.org Fri Jul 20 21:51:52 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id A8A7D180663 for ; Fri, 20 Jul 2018 21:51:51 +0200 (CEST) Received: (qmail 49597 invoked by uid 500); 20 Jul 2018 19:51:50 -0000 Mailing-List: contact dev-help@nifi.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@nifi.apache.org Delivered-To: mailing list dev@nifi.apache.org Received: (qmail 49586 invoked by uid 99); 20 Jul 2018 19:51:50 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Jul 2018 19:51:49 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 8066A1809D5 for ; Fri, 20 Jul 2018 19:51:49 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.999 X-Spam-Level: X-Spam-Status: No, score=0.999 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id yWh9RS0YX1DO for ; Fri, 20 Jul 2018 19:51:48 +0000 (UTC) Received: from n7.nabble.com (n7.nabble.com [162.253.133.57]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 76ED55F300 for ; Fri, 20 Jul 2018 19:51:47 +0000 (UTC) Received: from n7.nabble.com (localhost [127.0.0.1]) by n7.nabble.com (Postfix) with ESMTP id AE89460A2674 for ; Fri, 20 Jul 2018 12:51:40 -0700 (MST) Date: Fri, 20 Jul 2018 12:51:40 -0700 (MST) From: Josefz To: dev@nifi.apache.org Message-ID: <1532116300712-0.post@n7.nabble.com> In-Reply-To: References: <1530789548119-0.post@n7.nabble.com> <9963EC4A-30DE-4AE5-B796-22C7104DF59A@apache.org> Subject: Re: SSLPeerUnverifiedException Hostname "xyz" not verified MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit @Andy LoPresto I fully understand what you wrote regarding certs in the admin guide, however as you already mentioned, in my point of view this certificate stuff is really a pain. We have lost multiple days to get it running together with LDAP, just because of the complexity of the whole configuration. And after the upgrade to 1.7.0 we had again issues because of certs and the bug... Let me explain why we use wildcard certs. We have to use our company CA and we have to manually insert the CSR on a website (with some additional parameters) to get the certificate signed. If we have to do that for 20 nodes or even more, this would be a huge work. Additionally our network where the NiFi Nodes are, is a subnet secured by a firewall, so it's not possible to connect from outside through the cluster port. If an attacker is inside the subnet and is able to create a NiFi Node who can join the cluster (with the certificate and the password for the keystore), then we would anyway have bigger problems. But yes of course, wildcard certs are less secure. *Two questions for you:* 1. We used the wildcard certs already in NiFi 1.5.0 in our lab, however we would like to go live with 1.7.1 now. If we haven't seen any issues on NiFi 1.5.0 with the wildcard certs, how likely would it be that we see some issues on 1.7.1? 2. Somewhere I've read that in an optimal world (eg. with the NiFi TLS Certkit) we should have a Cert with a unique DN and as well use the same DN for the SAN per node. Would it be ok to have the following: 3-Node Cluster Environment: nifi-node-1, nifi-node-2, nifi-node-3 One Keystore Certificate for all NiFi nodes with the following attributes: -> DN "CN=NiFi Apache"; -> SAN = nifi-node-1, nifi-node-2, nifi-node-3 Background is the following, we are planning a loadbalancer in front of NiFi Webgui and I don't see any solution to get the whole thing work without the procedure above. Today we use wildcard, with that we are good to go. But as you already mentioned multiple times that wildcards are not supported we are looking for some alternatives. Thanks in advance Josef -- Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/