Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

APACHE NIFI invokeHTTP to get token issue

Tags:

ssl-certificate

apache-nifi

I got a secure cluster NIFI with 3 nodes, configured with truststore.jks and keystore.jks

In my invokeHTTP, i've set "StandardSSLContextService" with keystore and trustore for https.

  • invokeHTTP works when i'm trying https://nifi:9443/nifi-api/controller/config

    • but not works when i'm trying "https://auth_server/oauth/access_token"

So when I'm trying use invokeHTTP to get token but it failed with this error :

sun.security.validator.ValidatorException: PKIX path building failed:      

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

thanks for helps

like image 647
Maykiwo GNO Avatar asked Aug 28 '17 10:08

Maykiwo GNO

1 Answers

The StandardSSLContextService can be configured with a truststore, which is a Java KeyStore object which contains a collection of TrustedCertEntry objects -- each of which holds the public key and certificate information of a trusted entity. When Apache NiFi attempts to contact some other endpoint or service over HTTPS, it evaluates the received certificate identifying the service and attempts to validate that certificate. If the endpoint certificate is not directly contained in the truststore, it checks to see which certificate signed the leaf cert, and validate that one. This process continues up the certificate chain until either a cert is found that is trusted, or none are.

The error message you are receiving is stating that none of the certificates in the chain could be verified. As daggett pointed out, you could manually import the certificate of the service you want to validate into a custom truststore. If this is a service available on the public internet and signed by a generally trusted certificate authority (CA), you can also point your StandardSSLContextService to the default list provided by Java. The cacerts truststore is included automatically, and has a similar trusted entry list to modern browsers. It is found in $JAVA_HOME/jre/lib/security/cacerts. You can determine the value of $JAVA_HOME for your OS and Java version.

  • Truststore filename: /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/cacerts (example)
  • Truststore password: changeit (default value)
  • Truststore type: JKS
like image 147
Andy Avatar answered Oct 23 '22 18:10

Andy
Sign in to Comment

Related questions

On ios, in ionic hybrid app, how to bypass certificate check (using self-signed certificates)
Invalid CA certificate with self signed certificate chain
How to pass value of NODE_EXTRA_CA_CERTS to AWS Lambda deployed with Serverless?
Digital Signature for SOAP message in WCF
IIS 7.5 Client certificate authentication
How to authenticate Game Center User from 3rd party node.js server
SSL Certificate Chain differs; how to verify?
Certificate pinning in Ajax calls
Forcing https in elasticbeanstalk with certificate from ACM
SSL: 'unable to get local issuer certificate'
FTPS publish in Visual Studio fails, results in "Secure connection was closed by the remote connection end."
Detect unsecure ssl-Connection
Can I reuse SSL certificate on a local machine with the same (locally configured) URL?
Use Server Certificate As Client Certificate
Glassfish 3 and import signed SSL certificate issue
Secure websocket (WSS) certificate signing
Ajax POST call to ASP.NET MVC controller giving net::ERR_CONNECTION_RESET
LetsEncrypt - ACMESharp client challenge in pending state for over an hour
Enable Java to permit expired certificate
Error: certificate has expired in Node

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!