Usually the error "unable to find valid certification path to
requested target" means that the truststore used by NiFi is not
trusting the cert presented by NiFi Registry.
You can check this by using keytool to inspect the keystores and truststores.
On the NiFi server, use keytool to list the truststore.jks:
keytool --list -v -keystore truststore.jks
Look for the Owner entry in the output.
On the NiFi Registry side, list the keystore.jks:
keytool --list -v -keystore keystore.jks
Look for the Issuer entry in the output.
The issuer of the NiFi Registry cert, should be the owner of the
trusted cert in NiFI's truststore.
On Wed, Mar 28, 2018 at 3:56 PM, Scott Howell <scotthow...@mobilgov.com> wrote:
> So now since I have restarted I am now getting an SSL error when trying to
> access my buckets this is the following stack trace from the nidi-user.log
>
> o.a.n.w.a.config.NiFiCoreExceptionMapper
> org.apache.nifi.web.NiFiCoreException: Unable to obtain listing of buckets:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.cert...skipping...
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110)
> at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:258)
> at
> org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:147)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110)
> at
> org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
> at
> org.eclipse.jetty.util.thread.Invocable.invokePreferred(Invocable.java:122)
> at
> org.eclipse.jetty.util.thread.strategy.ExecutingExecutionStrategy.invoke(ExecutingExecutionStrategy.java:58)
> at
> org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:201)
> at
> org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:133)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:672)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:590)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
> at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
> at
> java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:347)
> at
> org.glassfish.jersey.client.internal.HttpUrlConnector._apply(HttpUrlConnector.java:390)
> at
> org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:282)
> at
> org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:278)
> at
> org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$1(JerseyInvocation.java:767)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:229)
> at
> org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:414)
> at
> org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:765)
> at
> org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:428)
> at
> org.glassfish.jersey.client.JerseyInvocation$Builder.get(JerseyInvocation.java:324)
> at
> org.apache.nifi.registry.client.impl.JerseyBucketClient.lambda$getAll$5(JerseyBucketClient.java:135)
> at
> org.apache.nifi.registry.client.impl.AbstractJerseyClient.executeAction(AbstractJerseyClient.java:71)
> at
> org.apache.nifi.registry.client.impl.JerseyBucketClient.getAll(JerseyBucketClient.java:134)
> at
> org.apache.nifi.registry.flow.RestBasedFlowRegistry.getBuckets(RestBasedFlowRegistry.java:142)
> at
> org.apache.nifi.web.dao.impl.FlowRegistryDAO.getBucketsForUser(FlowRegistryDAO.java:75)
> ... 112 common frames omitted
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
> ... 141 common frames omitted
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> ... 147 common frames omitted
>
>> On Mar 28, 2018, at 2:47 PM, Bryan Bende <bbe...@gmail.com> wrote:
>>
>> Ok, can you provide the stacktrace from nifi-app.log when it gets the
>> socket timeout?
>>
>> On Wed, Mar 28, 2018 at 3:45 PM, Scott Howell <scotthow...@mobilgov.com>
>> wrote:
>>> Yes I have https: defined on the registry client.
>>>
>>>> On Mar 28, 2018, at 2:29 PM, Bryan Bende <bbe...@gmail.com> wrote:
>>>>
>>>> Just to double-check, when you defined the Registry Client in NiFi,
>>>> did you enter the URL starting with "https" ?
>>>>
>>>> On Wed, Mar 28, 2018 at 3:13 PM, Scott Howell <scotthow...@mobilgov.com>
>>>> wrote:
>>>>> I have a single node nifi server setup with a self-signed keystone and
>>>>> truststore. I then used the same self-signed cert to create a keystone
>>>>> and truststore for Nifi-Registry. Currently I am able to access the UI
>>>>> for both Nifi and Nifi-Registry securely while also seeing the correct
>>>>> certificates being presented in the browser.
>>>>>
>>>>> I have used openssl commands to test both my pen file and my certificates
>>>>> to make sure the correct CN, OU are presented. Along with the correct
>>>>> CA.pem is being used.
>>>>>
>>>>> I am getting a socket timeout when I try to connect to my Nifi-Registry
>>>>> from Nifi setting up version control on a process group. On Nifi Registry
>>>>> when this happens I am presented with this error
>>>>>
>>>>> 2018-03-28 19:11:41,877 DEBUG [NiFi Registry Web Server-11]
>>>>> org.eclipse.jetty.io.ssl.SslConnection onFillable exit
>>>>> DecryptedEndPoint@3d8539fb{/10.10.1.121:36772<->/10.10.20.113:18443,CLOSED,fill=-,flush=-,to=5/30000}->HttpConnection@3eee3493[p=HttpParser{s=CLOSED,0
>>>>> of
>>>>> 0},g=HttpGenerator@48017bf4{s=START}]=>HttpChannelOverHttp@42d699fb{r=1,c=false,a=IDLE,uri=null}->SocketChannelEndPoint@53aa93f0{/10.10.1.121:36772<->/10.10.20.113:18443,CLOSED,fill=-,flush=-,to=2/30000}{io=0/0,kio=-1,kro=-1}->SslConnection@5cdfd9ee{NOT_HANDSHAKING,eio=-1/-1,di=-1}=>HttpConnection@3eee3493[p=HttpParser{s=CLOSED,0
>>>>> of
>>>>> 0},g=HttpGenerator@48017bf4{s=START}]=>HttpChannelOverHttp@42d699fb{r=1,c=false,a=IDLE,uri=null}
>>>>> 2018-03-28 19:11:41,877 DEBUG [NiFi Registry Web Server-11]
>>>>> o.e.jetty.util.thread.QueuedThreadPool ran
>>>>> CEP:SocketChannelEndPoint@53aa93f0{/10.10.1.121:36772<->/10.10.20.113:18443,CLOSED,fill=-,flush=-,to=2/30000}{io=0/0,kio=-1,kro=-1}->SslConnection@5cdfd9ee{NOT_HANDSHAKING,eio=-1/-1,di=-1}=>HttpConnection@3eee3493[p=HttpParser{s=CLOSED,0
>>>>> of
>>>>> 0},g=HttpGenerator@48017bf4{s=START}]=>HttpChannelOverHttp@42d699fb{r=1,c=false,a=IDLE,uri=null}:runFillable:BLOCKING
>>>>>
>>>>> It looks the the SSL Handshake is not taking place between Nifi and the
>>>>> Nifi-Registry but all of my testing looks like the handshake is good
>>>>> between the servers, Has anyone ran into this when using a self-signed
>>>>> certificate and not the nifi-tls-toolkit?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Scott
>>>
>
