Invoke HTTP error : certification path to requested target

0
votes

I have a cluster managed with cloudera, I have installed CFM (Nifi) with the tutorial; also secured the nifi nodes with TLS/SSL. When I tried the invokeHTTP processor, I have the following bulletin:

InvokeHTTP[id=3c2dea7a-0172-1000-0000-0000350072f1] Yielding processor due to exception encountered as a source processor: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have tried with and without a secured cluster (with the help of Nifi CA toolkit service), without any success. I also tried to create a controller service to force path of the trustore and keystore.

Now I am clueless on what to do, any ideas?

Thank you for your help,

2
apache-nifi

2 Answers

2
votes

@pdeuxa you need to configure the SSLContextService for the resource you are connecting to not the nifi cluster. You do this by adding the resource's SSL Certificates to a local nifi truststore, then tell NiFi where the truststore is. The files need to be properly owned for nifi and copied to all nifi nodes.

1
votes

It works with SSLcontext configuration!

I copied the cacert from java jdk on each nifi nodes, and grant ownership to the cacert to nifi user.

On the SSL context configuration I added the path of the copied cacert for keystore and trustore (the defaut password for java cacert is "changeit").

Then I forced invokehttp "proxy type" property on "http"