6

I got a secure cluster NIFI with 3 nodes, configured with truststore.jks and keystore.jks

In my invokeHTTP, i've set "StandardSSLContextService" with keystore and trustore for https.

So when I'm trying use invokeHTTP to get token but it failed with this error :

sun.security.validator.ValidatorException: PKIX path building failed:      

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

thanks for helps

Maykiwo GNO
  • 77
  • 2
  • 5
  • just add to your truststore.jks the public certificate from the server `https://auth_server`. you can export public certificate chain using browser. and import into jks using keytool (java jdk) – daggett Aug 28 '17 at 11:30

1 Answers1

6

The StandardSSLContextService can be configured with a truststore, which is a Java KeyStore object which contains a collection of TrustedCertEntry objects -- each of which holds the public key and certificate information of a trusted entity. When Apache NiFi attempts to contact some other endpoint or service over HTTPS, it evaluates the received certificate identifying the service and attempts to validate that certificate. If the endpoint certificate is not directly contained in the truststore, it checks to see which certificate signed the leaf cert, and validate that one. This process continues up the certificate chain until either a cert is found that is trusted, or none are.

The error message you are receiving is stating that none of the certificates in the chain could be verified. As daggett pointed out, you could manually import the certificate of the service you want to validate into a custom truststore. If this is a service available on the public internet and signed by a generally trusted certificate authority (CA), you can also point your StandardSSLContextService to the default list provided by Java. The cacerts truststore is included automatically, and has a similar trusted entry list to modern browsers. It is found in $JAVA_HOME/jre/lib/security/cacerts. You can determine the value of $JAVA_HOME for your OS and Java version.

  • Truststore filename: /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/cacerts (example)
  • Truststore password: changeit (default value)
  • Truststore type: JKS
Andy
  • 13,916
  • 1
  • 36
  • 78
  • Exported the certificate from chrome and generated truststore.jks using the keytool and added the path in the StandardSSLContextService for the Truststore Filename property. But I am still getting the same error. Not sure how to trouble shoot this. – user4321 Nov 08 '17 at 15:45
  • Use OpenSSL's s_client command-line tool to ensure you are getting the correct certificate from the remote service and that it contains the complete certificate chain. Ensure that is what is imported to the truststore. `$ openssl s_client -connect -debug -state -showcerts` – Andy Nov 08 '17 at 18:29