Hello everyone,

My NiFi has issue communicating with NiFi Registry.

Both are set up to authenticate and authorize using the same LDAP search 
string, and SSL is setup in such way that users can login securely to each UI. 
Individually, they are both working as expected. However, NiFi can't seem to 
talk to NiFi Registry.

When performing the "Start version control", I encounter the following error:
Unable to obtain listing of buckets: javax.net.ssl.SSLHandshakeException: 
Received fatal alert: certificate_unknown

Both instances handle SSL using the client key/crt, as well as server ca crt, 
provided by OpenShift.  They are turned into keystore.jks and truststore.jks 
using the following script:

_keystore_gen (){
                ## Convert PEM formatted certificate and private key to JKS 
format
                #  NiFi is a Java based Application
                openssl pkcs12 -export \
                                -inkey /etc/tls/tls.key \
                                -in /etc/tls/tls.crt \
                                -name keystore \
                                -out $NIFI_HOME/conf/keystore.p12 \
                                -password pass:$KEYSTORE_PASSWORD
                keytool -importkeystore -noprompt \
                                -srckeystore $NIFI_HOME/conf/keystore.p12 \
                                -srcstoretype pkcs12 \
                                -destkeystore $NIFI_HOME/conf/keystore.jks \
                                -storepass $KEYSTORE_PASSWORD \
                                -srcstorepass $KEYSTORE_PASSWORD

                return 0
}

_truststore_gen (){
                ## Create a Java Truststore starting from a CA bundle
                #  Loop is required because keytool only imports one 
certificate at a time
                csplit -z -f crt- /etc/certs/service-ca.crt '/-----BEGIN 
CERTIFICATE-----/' '{*}'
                for file in crt-*; do
                                keytool -importcert -noprompt \
                                -keystore $TRUSTSTORE_PATH \
                                -file $file \
                                -storepass $TRUSTSTORE_PASSWORD \
                                -alias service-$file
                done

                return 0
}

This takes place in both NiFi and NiFi Registry prior to starting.

What is the cause of the certificate_unknown error and what should I do to fix 
it?

Cheers,

Tony Sim


Reply via email to