NiFi 2.0.0-M4 TLS Setup (broken)

setup.sh

export EXT_HOST_NAME="vastdb-ingest"
export EXT_HOST_IP="10.71.212.111"
export STORE_PASSWORD="abcdef"

if [ -d ./certs ]; then
  echo "Directory ./certs already exists. Exiting."
  exit 1
fi

mkdir ./certs

docker run -it --rm -v "$(pwd)/certs":/data openjdk:24-jdk /bin/bash -c "
   set -x
   # Generate CA key and certificate
   openssl genrsa -out /data/ca.key 3072 && \
   openssl req -new -x509 -days 365 -key /data/ca.key -sha256 -out /data/ca.cer -subj '/CN=nifi-ca/OU=nifi/' && \
   
   # Generate Nifi key and certificate with correct CN and subjectAltName
   openssl genrsa -out /data/nifi1.key 3072 && \
   openssl req -new -key /data/nifi1.key -out /data/nifi1.csr \
               -subj \"/CN=${EXT_HOST_NAME}/OU=nifi/O=Your Organization/L=Your Location/C=US\" \
               -addext \"subjectAltName=IP:${EXT_HOST_IP},DNS:${EXT_HOST_NAME},DNS:localhost\" && \
   openssl x509 -req -in /data/nifi1.csr -CA /data/ca.cer -CAkey /data/ca.key -CAcreateserial -out /data/nifi1.cer -days 365 -sha256 && \
   
   # Create keystore and import Nifi certificate
   keytool -importcert -trustcacerts -file /data/nifi1.cer -keystore /data/nifi1.jks -storepass ${STORE_PASSWORD} -alias nifi1 -noprompt && \
   
   # Create truststore and import CA certificate
   keytool -importcert -trustcacerts -file /data/ca.cer -keystore /data/trust.jks -storepass ${STORE_PASSWORD} -alias ca -noprompt && \
   
   # Generate client key and certificate request
   openssl genrsa -out /data/client.key 3072 && \
   openssl req -new -key /data/client.key -out /data/client.csr -subj '/CN=nifi-client/OU=nifi/O=Your Organization/L=Your Location/C=US' && \
   
   # Sign the client certificate with the CA
   openssl x509 -req -in /data/client.csr -CA /data/ca.cer -CAkey /data/ca.key -CAcreateserial -out /data/client.cer -days 365 -sha256 && \
   
   # Export client key and certificate to PKCS#12 format for easier use
   openssl pkcs12 -export -out /data/client.p12 -inkey /data/client.key -in /data/client.cer -certfile /data/ca.cer -passout pass:${STORE_PASSWORD}
"

sudo chown -R $(whoami) certs/

# Extract the DN (Distinguished Name) from the client certificate
CLIENT_DN=$(openssl x509 -in ./certs/client.cer -noout -subject | sed 's/subject= //')

LATEST_RELEASE=$(python3 -c "import requests; print(requests.get('https://api.github.com/repos/vast-data/vastdb_nifi/releases/latest').json()['tag_name'].lstrip('v'))")

# Download VAST NAR extension for NiFi
wget -c https://github.com/vast-data/vastdb_nifi/releases/download/v${LATEST_RELEASE}/vastdb_nifi-${LATEST_RELEASE}-linux-x86_64-py39.nar

# Run NiFi with SSL/TLS configuration
docker run --name nifi \
   -p 8443:8443 \
   -v "$(pwd)/certs":/opt/certs \
   -e AUTH=tls \
   -e KEYSTORE_PATH=/opt/certs/nifi1.jks \
   -e KEYSTORE_TYPE=JKS \
   -e KEYSTORE_PASSWORD=${STORE_PASSWORD} \
   -e TRUSTSTORE_PATH=/opt/certs/trust.jks \
   -e TRUSTSTORE_PASSWORD=${STORE_PASSWORD} \
   -e TRUSTSTORE_TYPE=JKS \
   -e SINGLE_USER_CREDENTIALS_USERNAME=admin \
   -e SINGLE_USER_CREDENTIALS_PASSWORD=123456123456 \
   -e INITIAL_ADMIN_IDENTITY="${CLIENT_DN}" \
   -v "$(pwd)/vastdb_nifi-${LATEST_RELEASE}-linux-x86_64-py39.nar":/opt/nifi/nifi-current/nar_extensions/vastdb_nifi-${LATEST_RELEASE}-linux-x86_64-py39.nar \
   --platform linux/amd64 \
   -d \
   apache/nifi:2.0.0-M4