I'm trying to install Apache Nifi 2+ version on my CentOS 7 Server on a Docker container. I created the truststore.p12 and keystore.p12 (I tried also JKS truststore), and I also extract the cert from the keystone, but I always end up with HTTP ERROR 400 Invalid SNI once accessing the https://<my-ip-address>:8445/nifi (I'm using 8445 port because the other ports are occupied)
I've followed the answer here but it also didn't work. I'm creating the files and storing them in /opt/certs/ (they are valid, I've checked). After that, I run docker using the following command (as written here)
docker run --name nifi \
-v /opt/certs:/opt/certs \
-p 8445:8445 \
-e NIFI_WEB_HTTPS_PORT=8445 \
-e NIFI_WEB_HTTPS_HOST=0.0.0.0 \ (I tried to bind it to a specific IP address also)
-e KEYSTORE_PATH=/opt/certs/keystore.jks \
-e KEYSTORE_TYPE=JKS \
-e KEYSTORE_PASSWORD=<changeit> \
-e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
-e TRUSTSTORE_PASSWORD=<changeit> \
-e TRUSTSTORE_TYPE=JKS \
-e INITIAL_ADMIN_IDENTITY='CN=<changeit>, OU=<changeit>, O=<changeit>, L=<changeit>, ST=<changeit>, C=<changeit>' \
-e NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER=single-user-provider \
-e NIFI_SECURITY_NEED_CLIENT_AUTH=false \
-d \
apache/nifi:2.1.0
But I always end up with the same error HTTP ERROR 400 Invalid SNI.
I checked the logs, it doesn't seem that it has related errors.
Note: I've already deployed a Nifi instance on the same server but without Docker, I've followed the same steps.
Any guidance on how to move forward is appreciated!
The issue was that the environment variables I'm setting in the docker run command aren't reflected in the nifi.properties file in the container. So I edited the Dockerfile as follows:
Also, instead of mounting the key and trust store from the local system, I'm creating self-signed stores in the Dockerfile.
The sed -i will overwrite the properties in the nifi.properties file
ENV NIFI_HOME=/opt/nifi/nifi-current
ENV CERTS_DIR=/opt/nifi/certs
ENV NIFI_WEB_HTTPS_PORT=8445
ENV NIFI_WEB_HTTPS_HOST=0.0.0.0
ENV NIFI_WEB_PROXY_HOST=0.0.0.0
ENV KEYSTORE_PASS=<changeit>
ENV TRUSTSTORE_PASS=<changeit>
ENV KEYSTORE_PATH=${CERTS_DIR}/keystore.jks
ENV TRUSTSTORE_PATH=${CERTS_DIR}/truststore.jks
ENV KEYSTORE_TYPE=JKS
ENV TRUSTSTORE_TYPE=JKS
ENV NIFI_USERNAME=<changeit>
ENV NIFI_PASSWORD=<changeit>
# Create the certs directory if not exists
RUN mkdir -p ${CERTS_DIR}
# Generate the Keystore
RUN keytool -genkeypair -alias nifi-key \
-keyalg RSA -keysize 2048 -validity 36500 \
-keystore ${CERTS_DIR}/keystore.jks -storepass ${KEYSTORE_PASS} \
-dname "CN=, OU=, O=, L=, ST=, C= \
-ext SAN=dns:nifi.local,IP:<my-ip-address>
# Export the certificate from the keystore in X.509 format
RUN keytool -export -alias nifi-key -file ${CERTS_DIR}/nifi-cert.cer -keystore ${KEYSTORE_PATH} -storepass ${KEYSTORE_PASS} && ls -l ${CERTS_DIR}/nifi-cert.cer
# Generate the Truststore and import the exported certificate
RUN keytool -import -trustcacerts -alias nifi-cert -file ${CERTS_DIR}/nifi-cert.cer -keystore ${TRUSTSTORE_PATH} -storepass ${TRUSTSTORE_PASS} -noprompt
# Set NiFi user credentials using nifi.sh set-single-user-credentials
RUN ./bin/nifi.sh set-single-user-credentials ${NIFI_USERNAME} ${NIFI_PASSWORD}
RUN sed -i \
-e "s|^nifi.security.keystore=.*|nifi.security.keystore=${KEYSTORE_PATH}|" \
-e "s|^nifi.security.keystoreType=.*|nifi.security.keystoreType=${KEYSTORE_TYPE}|" \
-e "s|^nifi.security.keystorePasswd=.*|nifi.security.keystorePasswd=${KEYSTORE_PASS}|" \
-e "s|^nifi.security.truststore=.*|nifi.security.truststore=${TRUSTSTORE_PATH}|" \
-e "s|^nifi.security.truststoreType=.*|nifi.security.truststoreType=${TRUSTSTORE_TYPE}|" \
-e "s|^nifi.security.truststorePasswd=.*|nifi.security.truststorePasswd=${TRUSTSTORE_PASS}|" \
/opt/nifi/nifi-current/conf/nifi.properties
After than I can simple run build the image and run the docker container
docker build -t test-nifi ./ <the location of your Dockerfile>
docker run -d --name nifi -p 8445:8445 test-nifi