Pat,

That error means that NiFi could not find a valid trusted certificate for the 
hostname in question within the provided truststore. Understanding that the 
system in question may be on a limited network, can you please document what 
“the certs work when I use curl” means? Sometimes people include flags in curl 
that sidestep certain verification steps. You can also use the s_client tool 
provided within OpenSSL to verify the hostname and certificate exchange.

In general, you should be able to use a browser tool or s_client to show the 
certificate(s) being presented by the endpoint, and verify that the Subject 
Public Key Identifier of one or more of those certificates matches one listed 
in your truststore ($ keytool -list -v -keystore my_truststore.jks). Some other 
good things to verify:

* the certificate has validity dates that are currently active
* the certificate presents the proper hostname/IP address that the remote 
service is running on. Ensure any alternates you want to resolve are in the 
Subject Alternative Names entry
* you only need the private key in a keystore (and the keystore at all) if you 
are using TLS mutual authentication (i.e. NiFi presents a client certificate 
for authentication to be verified by the remote service)

Let us know if these steps help and you have further information.

$ openssl s_client -connect <host:port> -debug -state -cert 
<path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile 
<path_to_your_CA_cert.pem>


Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Mar 13, 2018, at 12:16 PM, Jones, Patrick L. <p...@mitre.org> wrote:
> 
> The best I could do right now is:
> 
> invokehttp.java.exception.class
> javax.net.ssl.SSLHandshakeException
> 
> invokehttp.java.exception.message
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target
> 
> Any thoughts?
> 
> Pat
> 
> From: Jorge Machado [mailto:jom...@me.com <mailto:jom...@me.com>]
> Sent: Tuesday, March 13, 2018 9:48 AM
> To: users@nifi.apache.org <mailto:users@nifi.apache.org>
> Subject: Re: InvokeHttp -- StandardSSLContextService Validator Exception
> 
> Any trace for us ?
> Working Example:
> <image001.png>
> 
> Jorge Machado
> 
> 
> 
> 
> 
> 
> On 13 Mar 2018, at 13:11, Jones, Patrick L. <p...@mitre.org 
> <mailto:p...@mitre.org>> wrote:
> 
> Howdy,
> 
> I’m using a StandardSSLContextService with InvokeHttp and I get a 
> ValidatorException ‘unable to find valid certification path to requested 
> target.’  The certs work when I use curl.  I put the CA cert and the public 
> key cert in the StandardSSLContextService truststore and the private key in 
> the keystore.  Any thoughts on how to make this work?
> 
> Thank you,
> 
> Pat

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Reply via email to