nifi-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nathan Gough (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (NIFI-6561) Certificate compatibility broken for JDK8 build running on JRE11
Date Fri, 16 Aug 2019 22:07:00 GMT

    [ https://issues.apache.org/jira/browse/NIFI-6561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16909439#comment-16909439
] 

Nathan Gough commented on NIFI-6561:
------------------------------------

I found that this warning is not occurring every time Java is run. With some testing I found
that it also seemed to occur on JRE8 on the first boot after switching JAVA_HOMEs. On restart,
I found that the WARN did not occur the second time NiFi was running. Then I couldn't get
the warning to occur at all. Seems a bit sporadic so I'll need to do more testing.

> Certificate compatibility broken for JDK8 build running on JRE11
> ----------------------------------------------------------------
>
>                 Key: NIFI-6561
>                 URL: https://issues.apache.org/jira/browse/NIFI-6561
>             Project: Apache NiFi
>          Issue Type: Sub-task
>          Components: Security
>    Affects Versions: 1.10.0
>            Reporter: Nathan Gough
>            Priority: Major
>              Labels: Java11, certificate, tls
>
> When testing Java 11 build compatibility, I found an issue with TLS certificates when
using a remote process group looped back to an input port on the same cluster. The same certificates
were used for JDK8/JRE8, JDK8/JRE11, JDK11/JRE11 ie. they contained relevant SAN entries in
each case.
> *Building on JDK 1.8.0_172 and run on JRE11.0.5+10 caused exceptions when attempting
to send to local input port with RPG*:
> {code:java}
> 2019-08-13 18:17:07,946 WARN [Http Site-to-Site PeerSelector] o.apache.nifi.remote.client.PeerSelector
Could not communicate with natog0.com:9551 to determine which nodes exist in the remote NiFi
cluster, due to javax.net.ssl.SSLPeerUnverifiedException: Certificate for <natog0.com>
doesn't match any of the subject alternative names: [natog1.com]
> 2019-08-13 18:17:07,946 WARN [Http Site-to-Site PeerSelector] o.apache.nifi.remote.client.PeerSelector
org.apache.nifi.remote.client.PeerSelector@6d5e02f8 Unable to refresh Remote Group's peers
due to Unable to communicate with remote NiFi cluster in order to determine which nodes exist
in the remote cluster{code}
> But did not see this error on the matching builds (JDK8/JRE8, JDK11/JRE11).



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Mime
View raw message