Could you try using an explicit path to the cacerts provided by your JDK/JRE, instead of referring to $JAVA_HOME? Andy gave an example of "/Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/cacerts", which you would update with the path to the JDK you are using. Referencing an environment variable (without using EL) will not work for a NiFi property. It does not appear that EL is supported for the keystore and truststore properties, as that could lead to security issues. Those properties have validators that should also verify that the keystore/truststore exists and is readable. Were you able to successfully start the SSLContextService after configuring it?
Also, as Andy mentioned, the URL you are using in InvokeHTTP needs to present a certificate that is signed by a CA that is in the default cacerts. Can you please verify this? You can get a list of what is contained in cacerts by using keytool, and specifying the path to cacerts, the password, and the list command. For example: keytool -storepass changeit -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_192.jdk/Contents/Home/jre/lib/security/cacerts -list - Jeff On Fri, Dec 21, 2018 at 2:55 PM l vic <[email protected]> wrote: > I put "default" parameters for trust-store: > Path: $JAVA_HOME/jre/lib/security/cacerts > Password: changeit (default) > Type: JKS > and got "invalid path" exception ( see below) > How does that missing cert file should look like? > Thanks again... > > 2018-12-21 14:46:00,021 ERROR [Timer-Driven Process Thread-1] > o.a.nifi.processors.standard.InvokeHTTP > InvokeHTTP[id=0929346d-d742-1fd9-e41a-8e4324b73349] Yielding processor due > to exception encountered as a source processor: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target: {} > > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) > > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) > > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) > > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) > > at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) > > at > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) > > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) > > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) > > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) > > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:267) > > at > okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:237) > > at > okhttp3.internal.connection.RealConnection.connect(RealConnection.java:148) > > at > okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:186) > > at > okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) > > at > okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100) > > at > okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) > > at > okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) > > at > okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) > > at > okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) > > at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterc > eptorChain.java:92) > > at > okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) > > at > okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) > > at > okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) > > at > okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120) > > at > okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) > > at > okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) > > at > okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:179) > > at okhttp3.RealCall.execute(RealCall.java:63) > > at > org.apache.nifi.processors.standard.InvokeHTTP.onTrigger(InvokeHTTP.java:709) > > at > org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27) > > at > org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1122) > > at > org.apache.nifi.controller.tasks.ContinuallyRunProcessorTask.call(ContinuallyRunProcessorTask.java:147) > > at > org.apache.nifi.controller.tasks.ContinuallyRunProcessorTask.call(ContinuallyRunProcessorTask.java:47) > > at > org.apache.nifi.controller.scheduling.QuartzSchedulingAgent$2.run(QuartzSchedulingAgent.java:161) > > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > > at java.lang.Thread.run(Thread.java:748) > > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > > at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > > at sun.security.validator.Validator.validate(Validator.java:260) > > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) > > ... 39 common frames omitted > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > > at > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > > at > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > > ... 45 common frames omitted > > > > > > > On Thu, Dec 20, 2018 at 4:14 PM Andy LoPresto <[email protected]> > wrote: > >> You need to configure the truststore properties in the SSLContextService >> — the keystore contains the private key and public certificate the service >> (NiFi) uses to identify itself, but the truststore contains the public >> certificate(s) of external services NiFi should trust. In this case, in >> order to connect to another service at https://service.external.com, you >> will need to have the public certificate (pub1) of the External Service or >> one of the public certificates in the chain that signed that pub1. If this >> is a site on the public internet, you can probably use the JVM defaults, as >> it will likely be signed by a known certificate authority. If not, you must >> obtain that public certificate independently, put it in a JKS truststore, >> and populate the controller service properties for it. >> >> JVM truststore: >> >> Path: $JAVA_HOME/jre/lib/security/cacerts (i.e. >> /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/cacerts) >> Password: changeit (default) >> Type: JKS >> >> >> Andy LoPresto >> [email protected] >> *[email protected] <[email protected]>* >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >> >> On Dec 20, 2018, at 2:31 PM, l vic <[email protected]> wrote: >> >> Hello, >> I am trying to perform "get" request over SSL from InvokeHTTP >> nifi-1.5.0-RC1; >> I configured SSL by the means of a StandardSSLContextService >> <https://nifi.apache.org/docs/nifi-docs/components/org.apache.nifi.ssl.StandardSSLContextService/> >> with >> jks certificate (see attached) >> When I try to execute processor, i see the following problem: >> *Caused by: java.lang.IllegalStateException: TrustManagerFactoryImpl is >> not initialized* >> * at >> sun.security.ssl.TrustManagerFactoryImpl.engineGetTrustManagers(TrustManagerFactoryImpl.java:100)* >> Do I have an error in my configuration, or is this bug? keystore >> file/password combination is valid - i can do that request from cli.... Can >> I do "insecure" SSL request ( like curl -k) with InvokeHTTP? >> Below is full stack trace >> >> 2018-12-20 14:53:41,116 ERROR [StandardProcessScheduler Thread-3] >> o.a.n.controller.StandardProcessorNode Failed to invoke @OnScheduled method >> due to java.lang.RuntimeException: Failed while executing one of >> processor's OnScheduled task. >> java.lang.RuntimeException: Failed while executing one of processor's >> OnScheduled task. >> at >> org.apache.nifi.controller.StandardProcessorNode.invokeTaskAsCancelableFuture(StandardProcessorNode.java:1504) >> at >> org.apache.nifi.controller.StandardProcessorNode.initiateStart(StandardProcessorNode.java:1330) >> at >> org.apache.nifi.controller.StandardProcessorNode.lambda$start$0(StandardProcessorNode.java:1315) >> at >> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >> at java.lang.Thread.run(Thread.java:748) >> Caused by: java.util.concurrent.ExecutionException: >> java.lang.reflect.InvocationTargetException >> at java.util.concurrent.FutureTask.report(FutureTask.java:122) >> at java.util.concurrent.FutureTask.get(FutureTask.java:206) >> at >> org.apache.nifi.controller.StandardProcessorNode.invokeTaskAsCancelableFuture(StandardProcessorNode.java:1487) >> ... 9 common frames omitted >> Caused by: java.lang.reflect.InvocationTargetException: null >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at >> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:137) >> at >> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:125) >> at >> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:70) >> at >> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:47) >> at >> org.apache.nifi.controller.StandardProcessorNode$1.call(StandardProcessorNode.java:1334) >> at >> org.apache.nifi.controller.StandardProcessorNode$1.call(StandardProcessorNode.java:1330) >> ... 6 common frames omitted >> Caused by: java.lang.IllegalStateException: TrustManagerFactoryImpl is >> not initialized >> at >> sun.security.ssl.TrustManagerFactoryImpl.engineGetTrustManagers(TrustManagerFactoryImpl.java:100) >> at >> javax.net.ssl.TrustManagerFactory.getTrustManagers(TrustManagerFactory.java:285) >> at >> org.apache.nifi.processors.standard.InvokeHTTP.setSslSocketFactory(InvokeHTTP.java:613) >> at >> org.apache.nifi.processors.standard.InvokeHTTP.setUpClient(InvokeHTTP.java:545) >> ... 16 common frames omitted >> <Screen Shot 2018-12-20 at 3.21.08 PM.png> >> >> >>
