HTTP ERROR 400 Invalid SNI
URI: https://{your-custom-ip}:8443/nifi
STATUS: 400
MESSAGE: Invalid SNI
I encountered this error trying to deploy a fresh instance of Apache NIFI 2+ for my development environment. I wanted the environment to be accessible via a custom fqdn and/or custom ip. However, this did not work with the truststore.p12 and keystore.p12 that are packaged with Apache NIFI 2+.
The SNI in truststore/keystore.p12 that come packaged with Apache NIFI 2+ is set strict to localhost so setting nifi.web.https.host property to a custom ip or another fqdn will throw this error.
In my case I primarily wanted to bind the NIFI instance to my servers private IP (VPN).
Solution (using keytool)
Simply generate a new pair of truststore and keystore in PKCS12 format and replace the ones packaged with Apache NIFI 2+.
Backup your existing configuration files:
// In config dir
mv nifi.properties nifi.properties.bak
mv truststore.p12 truststore.p12.bak
mv keystore.p12 keystore.p12.bak
Update your nifi.properties configuration in my case:
nifi.web.https.host=10.3.0.1
nifi.web.https.port=8443
Generate PKCS12 keypair:
// Run in config dir, update values according to your case
keytool -genkeypair -alias nifi-cert -keyalg RSA -keysize 2048 -validity 365 -keystore keystore.p12 -storetype PKCS12 -dname "CN=10.3.0.1, OU=MyOrg, O=MyCompany, L=MyCity, S=MyState, C=US" -ext "SAN=IP:10.3.0.1"
Export the cert:
keytool -exportcert -alias nifi-cert -file nifi-cert.crt -keystore keystore.p12 -storetype PKCS12
Create the truststore:
keytool -importcert -alias nifi-cert -file nifi-cert.crt -keystore truststore.p12 -storetype PKCS12
Solution (using openssl)
Generate key and cert:
openssl req -x509 -newkey rsa:2048 -keyout nifi.key -out nifi.crt -days 365 -nodes -subj "/CN=10.3.0.1"
Convert to PKCS12 format:
openssl pkcs12 -export -in nifi.crt -inkey nifi.key -out keystore.p12 -name nifi-cert
Create the truststore:
openssl pkcs12 -export -in nifi.crt -nokeys -out truststore.p12 -name nifi-cert