ennui93
commented
7 years ago Just guessing here; but are you using a self-signed certificate? If so, is that certificate or its CA in your JVM truststore?
Closed alvincjin closed 7 years ago
ennui93
commented
7 years ago Just guessing here; but are you using a self-signed certificate? If so, is that certificate or its CA in your JVM truststore?
alvincjin
commented
7 years ago Hi @ennui93 ,
Yes, I use self-signed certificate generated by nifi tls-tool to secure the nifi cluster. I also enabled kerberos for authentication.
Do you mean I should use keytool to import nifi-cert.pem to my JVM truststore? like below? keytool -import -trustcacerts -file /path/to/ca/nifi-cert.pem -alias nifi-cert -keystore ../jre/lib/security/cacerts
ennui93
commented
7 years ago That looks correct. Possibly jssecacerts in place of cacerts.
hermannpencole
commented
7 years ago You must add your ssl certificat in your trustore or use the option -noVerifySsl for turn off ssl verification certificat (see https://github.com/hermannpencole/nifi-config#advanced-options ) If the answer is ok for you, please close the issue. If you have any question let me know.
alvincjin
commented
7 years ago Hi @ennui93 and @hermannpencole,
After I added ssl certificate by below command:
keytool -import -trustcacerts -file /path/to/ca/nifi-cert.pem -alias nifi-cert -keystore ../jre/lib/security/cacerts
I got below errors when I ran the same deployment command. 2017-09-25 14:07:07 | ERROR | [main] c.g.h.n.c.Main:147 - javax.net.ssl.SSLPeerUnverifiedExcept ion: Hostname 172.18.1.123 not verified: certificate: sha1/PR3YwdTdW0X0WSteCkSSX938RE= DN: CN=nifi-0.nifi-svc.nifi-k8s, OU=NIFI subjectAltNames: []
If I added -noVerifySsl option, it works well.
java -jar nifi-deploy-config-1.1.12.jar \ -user user\ -password pwd \ -nifi https://host:port/nifi-api \ -branch "root>" \ -conf api-deploy-demo.xml \ -mode deployTemplate \ -readTimeout 60000 \ -writeTimeout 60000
2017-09-19 14:08:02 | ERROR | [main] c.g.h.n.c.Main:147 - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target com.github.hermannpencole.nifi.swagger.ApiException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.github.hermannpencole.nifi.swagger.ApiClient.execute(ApiClient.java:1030) at com.github.hermannpencole.nifi.swagger.client.AccessApi.createAccessTokenWithHttpInfo(AccessApi.java:140) at com.github.hermannpencole.nifi.swagger.client.AccessApi.createAccessToken(AccessApi.java:125) at com.github.hermannpencole.nifi.config.service.AccessService.addTokenOnConfiguration(AccessService.java:36) at com.github.hermannpencole.nifi.config.Main.main(Main.java:120) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source)