Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-3740

Hostname validation error message can be unclear if SAN fails but CN matches hostname




      As reported on the mailing list, the error message can be very confusing if the hostname matches the certificate CN but not the SAN.

      On Apr 23, 2017, at 4:42 PM, Joe Gresock <jgresock@gmail.com> wrote:

      Just to follow up – apparently if the Subject Alternate Name is set
      incorrectly, it will result in this error. Apparently the CN is ignored if
      the SAN is set on the cert.

      On Sat, Apr 22, 2017 at 12:08 PM, Joe Gresock <jgresock@gmail.com> wrote:

      I've been banging my head against the wall on this one.. is there a good
      way to further debug this RPG error? The hostname clearly matches the
      certificate CN.

      2017-04-22 12:04:35,932 WARN [Remote Process Group 68ed2275-894d-3d75-b457-9d28a1b680e0:
      https://ip-172-31-33-37.ec2.internal:8443/nifi Thread-1] o.a.n.remote.StandardRemoteProcessGroup
      Unable to connect to RemoteProcessGroup[https://ip-
      172-31-33-37.ec2.internal:8443/nifi] due to javax.net.ssl.SSLPeerUnverifiedException:
      Host name 'ip-172-31-33-37.ec2.internal' does not match the certificate
      subject provided by the peer (CN=ip-172-31-33-37.ec2.internal, OU=LZ,
      O=LZS, L=Jessup, ST=Maryland, C=US)

      The exception thrown by the code under discussion should differentiate between the reasons the verification failed so a more helpful error message can be displayed to the user/in the logs.

      See RFC 2818 for more information.


        Issue Links



              Unassigned Unassigned
              alopresto Andy LoPresto
              0 Vote for this issue
              1 Start watching this issue