Hello, In the first error, it looks like maybe you had PutSyslog configured for TLS/SSL, but were sending to a port that was not listening for TLS/SSL, but regular TCP.
In the second error, it means the truststore in the SSL Context Service in NiFi, does not trust the certificate presented by the syslog server. Thanks, Bryan On Fri, Apr 10, 2020 at 6:48 AM muhyid72 <[email protected]> wrote: > Dear All > > I am trying to send events from NiFi 1.11.3 to syslog (with TLS secure > configuration). There is mutual authentication (two way). > > 1. I configured PutSyslog processor with > StandardRestrictedSSLContextService. > 1.1. I created a keystore (keystore type JKS) and truststore (truststore > type JKS) > 1.2. I selected TLS protocol TLS1.2. > 1.3. I added certificates (my certificate and its chain) in stores > 1.4. I also added Chain Certificates (Intermediate and Root) in Java cacert > 1.5. I checked StandardRestrictedSSLContextService, Its state is enabled > and > there was no problem > > 2. When I tried to send events to Syslog without secure (TLS) configuration > there is no problem. > > 3. I tried to send events to Syslog with secure (TLS) configuration for two > different Java version (8 and 11). It didn't transfer, I got errors in the > log: > > *Java JRE 1.8.0_241 (64 Bit):* > > 2020-04-09 20:48:05,803 ERROR [Timer-Driven Process Thread-8] > o.a.nifi.processors.standard.PutSyslog > PutSyslog[id=c5edd235-8149-3973-ef37-7a0a2257f1ab] No available > connections, > and unable to create a new one, transferring > > StandardFlowFileRecord[uuid=3dc7fc46-cceb-47e3-853b-ebef7da2af1e,claim=StandardContentClaim > [resourceClaim=StandardResourceClaim[id=1586438497349-2, container=default, > section=2], offset=280511, > length=99859],offset=34294,name=a45af0.log,size=214] to failure: > javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack? > *javax.net.ssl.SSLException: Inbound closed before receiving peer's > close_notify: possible truncation attack?* > at sun.security.ssl.Alerts.getSSLException(Unknown Source) > at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) > at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) > at sun.security.ssl.SSLEngineImpl.closeInbound(Unknown Source) > at > org.apache.nifi.remote.io > .socket.ssl.SSLSocketChannel.connect(SSLSocketChannel.java:178) > at > > org.apache.nifi.processor.util.put.sender.SSLSocketChannelSender.open(SSLSocketChannelSender.java:55) > at > > org.apache.nifi.processors.standard.PutSyslog.createSender(PutSyslog.java:259) > at > > org.apache.nifi.processors.standard.PutSyslog.createSender(PutSyslog.java:238) > at > org.apache.nifi.processors.standard.PutSyslog.onTrigger(PutSyslog.java:326) > at > > org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27) > at > > org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1176) > at > > org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:213) > at > > org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:117) > at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110) > at java.util.concurrent.Executors$RunnableAdapter.call(Unknown > Source) > at java.util.concurrent.FutureTask.runAndReset(Unknown Source) > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(Unknown > Source) > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown > Source) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown > Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > Source) > at java.lang.Thread.run(Unknown Source) > > *JDK 11.0.6 (64 Bit):* > > 2020-04-10 09:17:28,869 ERROR [Timer-Driven Process Thread-3] > o.a.nifi.processors.standard.PutSyslog > PutSyslog[id=c5edd235-8149-3973-ef37-7a0a2257f1ab] No available > connections, > and unable to create a new one, transferring > > StandardFlowFileRecord[uuid=b9693349-d4ea-4e22-a206-e713e785951f,claim=StandardContentClaim > [resourceClaim=StandardResourceClaim[id=1586438497349-2, container=default, > section=2], offset=280511, > length=99859],offset=74530,name=a45af0.log,size=241] to failure: > javax.net.ssl.SSLHandshakeException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > *javax.net.ssl.SSLHandshakeException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target* > at > java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) > at > > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) > at > > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) > at > > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259) > at > > java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:646) > at > > java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:465) > at > > java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:361) > at > java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) > at > > java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:450) > at > > java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1078) > at > > java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065) > at java.base/java.security.AccessController.doPrivileged(Native > Method) > at > > java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1012) > at > org.apache.nifi.remote.io > .socket.ssl.SSLSocketChannel.performTasks(SSLSocketChannel.java:274) > at > org.apache.nifi.remote.io > .socket.ssl.SSLSocketChannel.performHandshake(SSLSocketChannel.java:260) > at > org.apache.nifi.remote.io > .socket.ssl.SSLSocketChannel.connect(SSLSocketChannel.java:164) > at > > org.apache.nifi.processor.util.put.sender.SSLSocketChannelSender.open(SSLSocketChannelSender.java:55) > at > > org.apache.nifi.processors.standard.PutSyslog.createSender(PutSyslog.java:259) > at > > org.apache.nifi.processors.standard.PutSyslog.createSender(PutSyslog.java:238) > at > org.apache.nifi.processors.standard.PutSyslog.onTrigger(PutSyslog.java:326) > at > > org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27) > at > > org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1176) > at > > org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:213) > at > > org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:117) > at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110) > at > > java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) > at > java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) > at > > java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) > at > > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > at > > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > at java.base/java.lang.Thread.run(Thread.java:834) > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at > > java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) > at > > java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) > at > java.base/sun.security.validator.Validator.validate(Validator.java:264) > at > > java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) > at > > java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276) > at > > java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) > at > > java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:624) > ... 26 common frames omitted > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at > > java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > at > > java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > at > > java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) > at > > java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) > ... 32 common frames omitted > > 4. I suspected a problem at the syslog side, I tried same process through > Logstash 7.3.1 with secure (TLS) configuration (with Java JRE 1.8.0_241 (64 > Bit)) and it run. > > 5. My environment details are below: > Apache NiFi 1.11.3 > Windows Server 2016 > Java JRE 1.8.0_241 (64 Bit) -- preferred > or > Java JDK 11.0.6 (64 Bit) > > Do you have any comment? > > > > -- > Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/ >
