3

I have a local NiFi instance that I want to send data via secure Site-to-Site commmunication to a remote NiFi instance on an AWS server.

I used the NiFi TLS toolkit to generate a self-signed cert for my client and server keystore and truststore.

On my local NiFi instance I have a Remote Processor Group setup to point to an input port on the remote NiFi instance. The initial SSL handshake between my local and remote instances is successful as I am able to see available input ports from the remote instance and have the "Site to Site is secure" icon notification on the local instance's web UI.

When I try to feed data through the RPG via https however, I get the following error in my local instances logs:

2019-06-19 15:57:29,186 ERROR [I/O dispatcher 13] o.a.n.r.util.SiteToSiteRestApiClient Failed to create transaction for https://<local-instance-url>/nifi-api/data-transfer/input-ports/<UUID>/transactions
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:266)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:306)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:508)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:284)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:352)
... 9 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
... 17 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 23 common frames omitted

I'm a bit confused as to why it would be attempting a 2nd SSL handshake after it has seemingly already had a successfully SSL handshake. Initial research is suggesting that my cert isn't being trusted however I'm not sure why my first handshake would have succeeded if that was the case.

In terms on NIFI configuration. I've setup the remote properties for both instances as well as all other SSL properties including keystore/trustore info

nifi.remote.input.host=<other-instance-host>
nifi.remote.input.secure=true
nifi.remote.input.http.enabled=true
nifi.remote.input.http.transaction.ttl=30 sec
...
nifi.cluster.protocol.is.secure=true
Steve
  • 981
  • 1
  • 8
  • 22
  • Is it possible you're using a cluster and one node's certificate was present in the local instance's `truststore.jks` but not all the nodes'? You can use `openssl s_client -connect remote-host:port -state -debug -showcerts -CAfile /path/to/ca_public.pem -cert /path/to/server_public.pem -key /path/to/server_private.key` to further debug. – Andy Jun 19 '19 at 21:43
  • 1
    Also be sure that the certificate you're using has a valid `SubjectAlternativeName` DNS entry for the external hostname provided by AWS. – Andy Jun 19 '19 at 21:44

1 Answers1

0

pls check this -> https://bryanbende.com/development/2016/08/30/apache-nifi-1.0.0-secure-site-to-site

not sure if you are already at that point, but you have to add the remote instance to your users and grant access via policies

smu
  • 21
  • 4