Hi All, Got this working fine by using the cacerts truststore.
Thanks for all the input. Regards Dan From: Andy LoPresto <[email protected]> Sent: 06 August 2020 17:02 To: [email protected] Subject: Re: External Access using InvokeHTTP_Test processor and StandardSSLContextService CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe. This is not a JVM issue. Josef is correct that the external site you are trying to communicate with is presenting a certificate which the configured NiFi truststore has no way to verify (it can’t find the “path” between cert X and any of its signing certs to one already known by NiFi). The solution is to acquire the external server public certificate or a signing certificate and import it directly into the truststore you have configured for the InvokeHTTP processor via the SSLStandardContextService, or reference a different truststore which already has the certificate present. If you are pointing at the same truststore you use for NiFi as an application, it’s not suggested to import the external cert directly, as this will have an impact on authentication mechanisms. Rather, use a new truststore explicitly for this use case, or reference the JRE provided “cacerts” truststore [1] directly from the SSLContextService (default password is “changeit” and it comes with many commercial/public CAs imported automatically, just like your browser or OS). [1] https://docs.oracle.com/cd/E19830-01/819-4712/ablqw/index.html Andy LoPresto [email protected]<mailto:[email protected]> [email protected]<mailto:[email protected]> He/Him PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 On Aug 6, 2020, at 6:32 AM, Jorge Machado <[email protected]<mailto:[email protected]>> wrote: Hi Dan, Seems like this is a jvm issue. Try this: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-error-779355358.html Diagnosis Use SSL Poke to verify connectivity Try the Java class SSLPoke to see if your truststore contains the right certificates. This will let you connect to a SSL service, send a byte of input, and watch the output. 1. Download SSLPoke.class<https://confluence.atlassian.com/kb/files/779355358/779355357/1/1441897666313/SSLPoke.class> 2. Execute the class as per the below, changing the URL and port appropriately. Take care that you are running the same Java as what Confluence is running with. If you used the installer you will need to use <confluence-home>/jre/java $JAVA_HOME/bin/java SSLPoke jira.example.com<http://jira.example.com/> 443 A mail server may be mail.example.com<http://mail.example.com/> 465 . The jira.example.com<http://jira.example.com/> is your custom site. Add the CA Certs On 6. Aug 2020, at 14:08, <[email protected]<mailto:[email protected]>> <[email protected]<mailto:[email protected]>> wrote: It tells you most probably that the CA cert from the remote HTTPS server hasn’t been found in the truststore you’ve defined to access the site. So please check again the CA cert and the truststore… Cheers Josef From: "White, Daniel" <[email protected]<mailto:[email protected]>> Reply to: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, 6 August 2020 at 13:07 To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: External Access using InvokeHTTP_Test processor and StandardSSLContextService Confidential Hi All, We’ve setup the truststore from the NiFi processor. However we get the following error when trying to connect to an external HTTPS location The error I get is: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Any ideas? Assume this is a cert issue on the Nifi server. Thanks Dan White Lead Technical Architect Legal & General Investment Management One Coleman Street, London, EC2R 5AA Tel: +44 203 124 4048 Mob: +44 7980 027 656 www.lgim.com<http://www.lgim.com/> This e-mail (and any attachments) may contain privileged and/or confidential information. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this message in error please reply and tell us and then delete it. Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems. Any information contained in this message may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or Republic of Ireland. Telephone Conversations may be recorded for your protection and to ensure quality of service Legal & General Investment Management Limited (no 2091894), LGIM Real Assets (Operator) Limited (no 05522016), LGIM (International) Limited (no 7716001) Legal & General Unit Trust Managers (no 1009418), GO ETF Solutions LLP (OC329482) and LGIM Corporate Director Limited (no 7105051) are authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA Legal & General Assurance (Pensions Management) Limited (no 1006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA. Legal & General Property Limited (no 2091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA. LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (C173733). It is registered in the Republic of Ireland (no 609677) with a registered office at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09. Legal & General Group PLC, Registered Office One Coleman Street, London, EC2R 5AA. Registered in England no: 1417162 ________________________________________________________________________ **** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General **** ________________________________________________________________________ *** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to [email protected]<mailto:[email protected]> *** Please consider the environment before printing this email. ________________________________________________________________________ **** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
