[
https://issues.apache.org/jira/browse/NIFI-825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14660234#comment-14660234
]
Joseph Witt commented on NIFI-825:
----------------------------------
verified patch applies clean and contrib-check is good.
Please do though provide some context here. The stack trace of the issue. A
brief explanation of what was actually wrong. We need to get out of the habit
of 'something is broke, here is a patch, +1'. There is no learning/community
effect there.
+1
> InvokeHTTP not handling SSL connections properly
> ------------------------------------------------
>
> Key: NIFI-825
> URL: https://issues.apache.org/jira/browse/NIFI-825
> Project: Apache NiFi
> Issue Type: Bug
> Components: Extensions
> Reporter: Mark Payne
> Assignee: Mark Payne
> Priority: Critical
> Fix For: 0.3.0
>
> Attachments:
> 0001-NIFI-825-Use-new-method-of-accessing-controller-serv.patch
>
>
> A user sent an email about InvokeHTTP failing after restart when configured
> to use an SSLContext Service, providing the following stacktrace:
> 2015-08-06 14:23:06,727 ERROR [Timer-Driven Process Thread-6]
> o.a.nifi.processors.standard.InvokeHTTP
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
> ~[na:1.8.0_45]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_45]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
> ~[na:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
> ~[na:1.8.0_45]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_45]
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
> ~[na:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
> ~[na:1.8.0_45]
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
> ~[na:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
> ~[na:1.8.0_45]
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
> ~[na:1.8.0_45]
> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
> ~[na:1.8.0_45]
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> ~[na:1.8.0_45]
> at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
> ~[na:1.8.0_45]
> at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
> ~[na:1.8.0_45]
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
> ~[na:1.8.0_45]
> at
> org.apache.nifi.processors.standard.InvokeHTTP$Transaction.sendRequest(InvokeHTTP.java:434)
> ~[nifi-standard-processors-0.1.0-incubating.jar:0.1.0-incubating]
> at
> org.apache.nifi.processors.standard.InvokeHTTP$Transaction.process(InvokeHTTP.java:356)
> ~[nifi-standard-processors-0.1.0-incubating.jar:0.1.0-incubating]
> at
> org.apache.nifi.processors.standard.InvokeHTTP.onTrigger(InvokeHTTP.java:148)
> [nifi-standard-processors-0.1.0-incubating.jar:0.1.0-incubating]
> at
> org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27)
> [nifi-api-0.1.0-incubating.jar:0.1.0-incubating]
> at
> org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1077)
> [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating]
> at
> org.apache.nifi.controller.tasks.ContinuallyRunProcessorTask.call(ContinuallyRunProcessorTask.java:127)
> [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating]
> at
> org.apache.nifi.controller.tasks.ContinuallyRunProcessorTask.call(ContinuallyRunProcessorTask.java:49)
> [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating]
> at
> org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:119)
> [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating]
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> [na:1.8.0_45]
> at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
> [na:1.8.0_45]
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
> [na:1.8.0_45]
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
> [na:1.8.0_45]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> [na:1.8.0_45]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> [na:1.8.0_45]
> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45]
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
> [na:1.8.0_45]
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
> [na:1.8.0_45]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> [na:1.8.0_45]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> [na:1.8.0_45]
> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45]
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> ~[na:1.8.0_45]
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> ~[na:1.8.0_45]
> at sun.security.validator.Validator.validate(Validator.java:260)
> ~[na:1.8.0_45]
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> ~[na:1.8.0_45]
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> ~[na:1.8.0_45]
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> ~[na:1.8.0_45]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
> ~[na:1.8.0_45]
> ... 27 common frames omitted
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
> ~[na:1.8.0_45]
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
> ~[na:1.8.0_45]
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> ~[na:1.8.0_45]
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
> ~[na:1.8.0_45]
> ... 33 common frames omitted
> I was able to duplicate this same failure but without even restarting NiFi,
> by issuing a GET request to https://localhost:8443/nifi-api/controller/status
> The supplied patch ensure that we just use the SSLContext Service to obtain
> an SSLContext object for each iteration, leaving caching, if appropriate, up
> to the service. The patch also updates some of the comments and code styles
> to be more consistent with the rest of the codebase.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
