ERR_BAD_SSL_CLIENT_AUTH_CERT error after configuring secure cluster

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ERR_BAD_SSL_CLIENT_AUTH_CERT error after configuring secure cluster

nifi-san
Hello Experts,

I have secured my three node nifi cluster and followed the links below:-

https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/

https://pierrevillard.com/tag/tls-toolkit/

The only difference is that I used the toolkit standalone mode to generate
the required certs.

Inspite of generating the client certificate with the below command, I see
the following error on my browser:-

"ERR_BAD_SSL_CLIENT_AUTH_CERT"

Below are the commands used to generate the certificates and keystores:-

tls-toolkit.sh standalone -n 'server10[1-3]xj.domain.com' -C 'CN=admin,
OU=NIFIORG' -o.

Client Cert:-

tls-toolkit.sh standalone -n 'server101.domain.com' -C 'CN=admin,
OU=NIFIORG' -o.

Tried generating the client certificate using "localhost" as well instead of
"server101.domain.com" but that did not help either.

The cluster has come up successfully and listening on the SSL port.Also,the
users.xml and authorizations.xml have been populated properly with the
initial Admin whihc is "CN=admin, OU=NIFIORG"

I imported the cert created in p12 format into the browser but everytime I
try to access the UI,i get the same error.

Tried regenerating the certs for all the nodes and created a fresh new
client cert as well but that did not help.

I could not see any error in the logs but at the same time there was no
authentication request in the user logs for the user "CN=admin, OU=NIFIORG".

Appreciate any pointers how to resolve this issue.





--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/ERR-BAD-SSL-CLIENT-AUTH-CERT-error-after-configuring-secure-cluster-tp16538.html
Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ERR_BAD_SSL_CLIENT_AUTH_CERT error after configuring secure cluster

Bryan Bende
Hello,

I think you should only make one call to the toolkit which should
generate a CA, the server certs, and the client cert all at the same
time. The -C flag is for the client cert which you already had on the
first call so I think it generated it already.

By running it twice like above, the first time is generating a CA and
server certs for servers 101-103, the second time its generating a new
CA, a server cert for server101, and a client cert, so now you are
using a client cert that was generated from a different CA than the
server certs.

-Bryan



On Mon, Jul 31, 2017 at 1:02 PM, nifi-san <[hidden email]> wrote:

> Hello Experts,
>
> I have secured my three node nifi cluster and followed the links below:-
>
> https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/
>
> https://pierrevillard.com/tag/tls-toolkit/
>
> The only difference is that I used the toolkit standalone mode to generate
> the required certs.
>
> Inspite of generating the client certificate with the below command, I see
> the following error on my browser:-
>
> "ERR_BAD_SSL_CLIENT_AUTH_CERT"
>
> Below are the commands used to generate the certificates and keystores:-
>
> tls-toolkit.sh standalone -n 'server10[1-3]xj.domain.com' -C 'CN=admin,
> OU=NIFIORG' -o.
>
> Client Cert:-
>
> tls-toolkit.sh standalone -n 'server101.domain.com' -C 'CN=admin,
> OU=NIFIORG' -o.
>
> Tried generating the client certificate using "localhost" as well instead of
> "server101.domain.com" but that did not help either.
>
> The cluster has come up successfully and listening on the SSL port.Also,the
> users.xml and authorizations.xml have been populated properly with the
> initial Admin whihc is "CN=admin, OU=NIFIORG"
>
> I imported the cert created in p12 format into the browser but everytime I
> try to access the UI,i get the same error.
>
> Tried regenerating the certs for all the nodes and created a fresh new
> client cert as well but that did not help.
>
> I could not see any error in the logs but at the same time there was no
> authentication request in the user logs for the user "CN=admin, OU=NIFIORG".
>
> Appreciate any pointers how to resolve this issue.
>
>
>
>
>
> --
> View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/ERR-BAD-SSL-CLIENT-AUTH-CERT-error-after-configuring-secure-cluster-tp16538.html
> Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ERR_BAD_SSL_CLIENT_AUTH_CERT error after configuring secure cluster

Andy LoPresto-2
Hi,

As Bryan said, you only need to run the command once. However, if it is run from the same directory multiple times, and the nifi-key.key and nifi-cert.pem files that are generated the first time are not removed between runs, it will use the same CA key to sign all the generated certificates, so this should not be an issue. 

I do notice that in your first invocation, the hostname value is “server10[1-3]xj.domain.com” while in the second invocation, the letters “xj” are not there. Please check to ensure that the hostname is consistent with what you expect. 

To diagnose the browser error, please check the following information:

* Browser name and version 
* If Google Chrome 58+, the hostname MUST be present in the SAN (SubjectAlternativeName) list, or this error will be returned. To do this, in your toolkit command, add “—subjectAlternativeNames ‘server101.domain.com’”. There is an open Jira to enable this by default in the next version of the toolkit. Another wrinkle is that the SAN parsing does not currently support the regex handling that the hostname parser does, so you will have to run each command separately, matching the hostname and SAN, unless you want every certificate to have the same SAN entries and enumerate all of them there. 
* Did you import the CA certificate into your OS/browser truststore?

If you can also provide the logs/nifi-app.log and logs/nifi-user.log files, these are very helpful in diagnosing authentication issues. 

Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jul 31, 2017, at 10:13 AM, Bryan Bende <[hidden email]> wrote:

Hello,

I think you should only make one call to the toolkit which should
generate a CA, the server certs, and the client cert all at the same
time. The -C flag is for the client cert which you already had on the
first call so I think it generated it already.

By running it twice like above, the first time is generating a CA and
server certs for servers 101-103, the second time its generating a new
CA, a server cert for server101, and a client cert, so now you are
using a client cert that was generated from a different CA than the
server certs.

-Bryan



On Mon, Jul 31, 2017 at 1:02 PM, nifi-san <[hidden email]> wrote:
Hello Experts,

I have secured my three node nifi cluster and followed the links below:-

https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/

https://pierrevillard.com/tag/tls-toolkit/

The only difference is that I used the toolkit standalone mode to generate
the required certs.

Inspite of generating the client certificate with the below command, I see
the following error on my browser:-

"ERR_BAD_SSL_CLIENT_AUTH_CERT"

Below are the commands used to generate the certificates and keystores:-

tls-toolkit.sh standalone -n 'server10[1-3]xj.domain.com' -C 'CN=admin,
OU=NIFIORG' -o.

Client Cert:-

tls-toolkit.sh standalone -n 'server101.domain.com' -C 'CN=admin,
OU=NIFIORG' -o.

Tried generating the client certificate using "localhost" as well instead of
"server101.domain.com" but that did not help either.

The cluster has come up successfully and listening on the SSL port.Also,the
users.xml and authorizations.xml have been populated properly with the
initial Admin whihc is "CN=admin, OU=NIFIORG"

I imported the cert created in p12 format into the browser but everytime I
try to access the UI,i get the same error.

Tried regenerating the certs for all the nodes and created a fresh new
client cert as well but that did not help.

I could not see any error in the logs but at the same time there was no
authentication request in the user logs for the user "CN=admin, OU=NIFIORG".

Appreciate any pointers how to resolve this issue.





--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/ERR-BAD-SSL-CLIENT-AUTH-CERT-error-after-configuring-secure-cluster-tp16538.html
Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.


signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ERR_BAD_SSL_CLIENT_AUTH_CERT error after configuring secure cluster

nifi-san
Thanks Bryan and Andy for the advice.

As Brian mentioned,the issue was with running the toolkit command multiple
times.

I ran it freshly with all the host names at once and it works fine.





--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/ERR-BAD-SSL-CLIENT-AUTH-CERT-error-after-configuring-secure-cluster-tp16538p16559.html
Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.
Loading...