Nifi Registry Git Connector

Question

I've Got Nifi Registry 0.5.0 Installed alongside my Nifi 1.9.2 Cluster and versioning control working correctly. However when it comes to the registry pushing to the git repository we see the following.

2020-03-02 10:19:53,183 ERROR [GitFlowMetaData Push thread] o.a.n.r.p.flow.git.GitFlowMetaData Failed to push commits to origin due to org.eclipse.jgit.api.errors.TransportException: https://svc_nifi@gitlab.intranet.net/gitlab/nifi/flows.git: Secure connection to https://svc_nifi@gitlab.intranet.net/gitlab/nifi/flows.git could not be stablished because of SSL problems
org.eclipse.jgit.api.errors.TransportException: https://svc_nifi@gitlab.intranet.net/gitlab/nifi/flows.git: Secure connection to https://svc_nifi@gitlab.intranet.net/gitlab/nifi/flows.git could not be stablished because of SSL problems
        at org.eclipse.jgit.api.PushCommand.call(PushCommand.java:180)
        at org.apache.nifi.registry.provider.flow.git.GitFlowMetaData.lambda$startPushThread$1(GitFlowMetaData.java:225)
        at org.apache.nifi.registry.provider.flow.git.GitFlowMetaData$$Lambda$370/853913427.run(Unknown Source)
        at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
        at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(Unknown Source)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
Caused by: org.eclipse.jgit.errors.TransportException: https://svc_nifi@gitlab.intranet.net/gitlab/nifi/flows.git: Secure connection to https://svc_nifi@gitlab.intranet.net/gitlab/nifi/flows.git could not be stablished because of SSL problems
        at org.eclipse.jgit.transport.TransportHttp.handleSslFailure(TransportHttp.java:617)
        at org.eclipse.jgit.transport.TransportHttp.connect(TransportHttp.java:567)
        at org.eclipse.jgit.transport.TransportHttp.openPush(TransportHttp.java:435)
        at org.eclipse.jgit.transport.PushProcess.execute(PushProcess.java:160)
        at org.eclipse.jgit.transport.Transport.push(Transport.java:1344)
        at org.eclipse.jgit.api.PushCommand.call(PushCommand.java:169)
        ... 9 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
        at sun.security.ssl.Handshaker.processLoop(Unknown Source)
        at sun.security.ssl.Handshaker.process_record(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
        at java.net.HttpURLConnection.getResponseCode(Unknown Source)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
        at org.eclipse.jgit.transport.http.JDKHttpConnection.getResponseCode(JDKHttpConnection.java:108)
        at org.eclipse.jgit.util.HttpSupport.response(HttpSupport.java:205)
        at org.eclipse.jgit.transport.TransportHttp.connect(TransportHttp.java:498)
        ... 13 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        ... 30 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        ... 36 common frames omitted

I've tried adding the SSL cert to both the key and trust stores (the ones configured in nifi-registry.properties). I know I can work with the git repository on the server as I was able to clone it locally. The git server is also using the same Root CA which is in the trust store.

My providers.xml config is:

<flowPersistenceProvider>
    <class>org.apache.nifi.registry.provider.flow.git.GitFlowPersistenceProvider</class>
    <property name="Flow Storage Directory">/home/nifi/flows</property>
    <property name="Remote To Push">origin</property>
    <property name="Remote Access User">svc_nifi</property>
    <property name="Remote Access Password"><password></property>
</flowPersistenceProvider>

score 0 · Answer 1 · answered Mar 08 '20 at 06:54

0

It's not an ideal solution, but I have disabled SSL Verification on the local repository. Whilst continuing to investigate a permanent solution.

answered Mar 08 '20 at 06:54

Nathan English

684
2
10
28

score 0 · Answer 2 · edited Nov 06 '20 at 10:51

0

went into the same problem a few moments ago - solved by appending SSL certificate of the CA into cacerts file of the running JRE.

In my case - nifi registry spawned in (official) docker container - just made a volume link from /etc/pki/java/cacerts (RHEL with properly configured CA trust) into container's /usr/local/openjdk-8/jre/lib/security/cacerts and the SSL validation worked.

edited Nov 06 '20 at 10:51

Mohammad Mirzaeyan

845
3
11
30

answered Nov 04 '20 at 09:21

dizzy

11
2

Nifi Registry Git Connector

2 Answers2