I'm setting certificate auth to my nifi server.
I have used nifi-tools/tls-toolkit from nifi project to generate a keystore, truststore, client certificate and so on.
I have added the client certificate generated by tls-toolkit in p12 format to my browser and configured my nifi server property. All works fine.
Now I want to use the client certificate within ruby script.
To do that I have converted the certificate from p12 format to pem format like that...
openssl pkcs12 -in CN=admin_DC=nifi_DC=com.p12 -passin pass:26V+Hs1qupglToDlVqO+oKW0yWR2jG3uXjuFTUus76o -out a.pem
MAC verified OK
Enter PEM pass phrase:
PEM pass phrase in blank.
To test it I tried
curl --insecure --cert-type pem --cert "a.pem" "https://127.0.0.1:9443/nifi"
curl: (35) error reading X.509 key or certificate file: Error in parsing.
Error in parsing? I haven't found any info about it.
Let's to verify...
openssl verify a.pem
a.pem: DC = com, DC = nifi, CN = admin
error 20 at 0 depth lookup:unable to get local issuer certificate
Verify with tha CA file...
openssl verify -verbose -x509_strict -issuer_checks -CAfile nifi-cert.pem a.pem
a.pem: OK
With my ruby script fails too (obviously)
require 'rest_client'
a = RestClient::Resource.new(
'https://127.0.0.1:9443/nifi',
:ssl_client_cert => OpenSSL::X509::Certificate.new(File.read("a.pem")),
:verify_ssl => OpenSSL::SSL::VERIFY_NONE
).get
pp a
`
I get...
/usr/lib/ruby/2.3.0/net/http.rb:933:in `connect_nonblock': SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert bad certificate (OpenSSL::SSL::SSLError)
from /usr/lib/ruby/2.3.0/net/http.rb:933:in `connect'
from /usr/lib/ruby/2.3.0/net/http.rb:863:in `do_start'
from /usr/lib/ruby/2.3.0/net/http.rb:852:in `start'
from /var/lib/gems/2.3.0/gems/rest-client-2.0.2/lib/restclient/request.rb:715:in `transmit'
from /var/lib/gems/2.3.0/gems/rest-client-2.0.2/lib/restclient/request.rb:145:in `execute'
from /var/lib/gems/2.3.0/gems/rest-client-2.0.2/lib/restclient/request.rb:52:in `execute'
from /var/lib/gems/2.3.0/gems/rest-client-2.0.2/lib/restclient/resource.rb:51:in `get'
from test.rb:8:in `<main>'
Whats wrong?
Thanks.
My hunch is that the issuer certificate (the Apache NiFi CA public certificate which signed the client certificate) is not bundled in the exported PEM file. In addition, the NiFi CA is generated on the system, and it is imported into the NiFi truststore, but it is not imported into the OpenSSL truststore, JRE cacerts, or any browser truststore automatically, so those tools will report that it is an unverified CA.
Can you verify that the exported PEM is in the expected format? A simple more or xxd command will output it in raw form, and you can examine the file structure. It should look like this:
hw12203:/Users/alopresto/Workspace/nifi (master) alopresto
🔓 1s @ 09:32:18 $ more ..//scratch/secure_nifi/client.pem
Bag Attributes
friendlyName: nifi-key
localKeyID: 4D A3 BA 01 40 32 60 6F 84 0B 1B B7 7F 1E 50 81 C7 DF 45 96
Key Attributes: <No Attributes>
Removed private key
Bag Attributes
friendlyName: nifi-key
localKeyID: 4D A3 BA 01 40 32 60 6F 84 0B 1B B7 7F 1E 50 81 C7 DF 45 96
subject=/OU=Apache NiFi/CN=alopresto
issuer=/OU=NIFI/CN=localhost
-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIKAVpj404fAAAAADANBgkqhkiG9w0BAQsFADAjMQ0wCwYD
... lines removed ...
WLvUHa29207v8ZQ6eFuTwM4OTISQIBRahxFqaluCvdQ8
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/OU=NIFI/CN=localhost
issuer=/OU=NIFI/CN=localhost
-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIKAVpj40jcAAAAADANBgkqhkiG9w0BAQsFADAjMQ0wCwYD
... lines removed ...
T7q7PHuhxvvdG4ckFMNpntxdTGIUoioZYzeijY4=
-----END CERTIFICATE-----
You can see that two certificates are included there -- the first is my client certificate and the second is the certificate of the CA that signed it.
In addition, you may need to export the private key from PKCS12 to PEM using the -nodes flag. Rather than meaning "node(s)", this flag indicates "no DES encryption", aka "no password required". You can see more about using the flag in this StackOverflow answer.