Andy LoPresto created NIFI-1479:
-----------------------------------
Summary: Catch PKIX CertPathValidatorException and provide better
error messaging
Key: NIFI-1479
URL: https://issues.apache.org/jira/browse/NIFI-1479
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework
Affects Versions: 0.5.0
Reporter: Andy LoPresto
Assignee: Andy LoPresto
Users often encounter an exception when validating certificates which is poorly
worded and confusing:
{code}
./nifi-app.log:2016-01-06 08:06:38,637 ERROR [Timer-Driven Process Thread-6]
o.a.nifi.processors.standard.InvokeHTTP
InvokeHTTP[id=c75d8a02-3a6a-3c72-a086-ca0ace77fd62] Routing to Failure due to
exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
{code}
Due to phrases like "PKIX path building failed" and "unable to find valid
certification path to requested target", users often believe this is a file
path issue and that NiFi cannot locate the truststore. However, the issue is
actually that no *certificate validation* "path" can be constructed -- i.e.
NiFi cannot find a chain between the certificate being validated and any
trusted CA certificate that has signed it (or intermediaries).
This exception should be caught and a more explicative error message should be
displayed, with suggestions for how to resolve this issue (usually importing
the custom CA certificate or self-signed certificate into the truststore).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
