https://community.cloudera.com/t5/Support-Questions/Problem-while-using-ConsumeIMAP-processor/m-p/289287#M214153 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/73935">@Pr1</a>&nbsp;</P><P>&nbsp;</P><P>While I am not an IMAP expert, the exception you are seeing here:<BR /><BR /></P><P>PKIX path building failed.</P><P>unable to find valid certification path</P><P><BR />This is a TLS handshake exception telling you that the complete certificate trust chain does not exist in the keystore.&nbsp; On the NiFi side the complete trust chain would found in the NiFi truststore.jks.&nbsp; Note: If NiFi is not secured you may need to add the trust chain certs to the NiFI java's default cacerts keystore.<BR /><BR />You can use openssl to get the complete trust chain for the IMAP server you are trying to consume from:</P><LI-CODE lang="markup">openssl s_client -connect &lt;IMAP server&gt;:&lt;IMAP port&gt; -showcerts</LI-CODE><P><BR />In the server hello response returned from the IMAP server using above command, you will see multiple certificates.&nbsp; First certificate is the imap server's public certificate (you do not need this one).&nbsp; You will need all the public certificates that follow that server certificate.&nbsp; These will be your Signing CAs (there may be one or more in order of signing until you reach the rootCA). The rootCa is last and you will notice the owner and issuer DN is the same. Each certificate begins with:</P><LI-CODE lang="markup">-----BEGIN CERTIFICATE-----</LI-CODE><P><BR />and ends with:</P><LI-CODE lang="markup">-----END CERTIFICATE-----</LI-CODE><P>&nbsp;</P><P>So you want to copy each certificate including the above lines to separate files:<BR />Eaxamples:<BR />intermediate.pem, intermediate2.pem, rootCA.pem&nbsp;<BR /><BR />You can then use keytool to import these CAs in to your NiFi truststore.</P><LI-CODE lang="markup">keytool -importcert -alias &lt;alias usually based off CN name for certiifcate&gt; -file &lt;certificate.pem&gt; -keystore &lt;truststore.jks or java cacerts&gt; -trustcacerts</LI-CODE><P>Note: each certificate imported must use a unique alias.</P><P>&nbsp;</P><P>I recommend importing your certificates in the same order as they were listed in openssl response (importing the rootCA last).<BR /><BR />Restart your NiFi so it loads the modified keystore.<BR /><BR />Hope this helps resolve your trust chain issue,</P><P>Matt</P> Thu, 06 Feb 2020 15:21:08 GMT MattWho 2020-02-06T15:21:08Z https://community.cloudera.com/t5/Support-Questions/Problem-while-using-ConsumeIMAP-processor/m-p/289278#M214152 <P>Hello ,</P> <P>&nbsp;</P> <P>Can anyone experienced issue while using ConsumeImap Processor for consuming messages from Secure Email server using Imap port 993.</P> <P>&nbsp;</P> <P>We are getting below error</P> <P>PKIX path building failed.</P> <P>unable to find valid cerification path</P> <P>&nbsp;</P> <P>Please write here if anyone faced issue like this.</P> <P>&nbsp;</P> <P>Thanks and Regards</P> <P>&nbsp;</P> Thu, 06 Feb 2020 19:59:52 GMT https://community.cloudera.com/t5/Support-Questions/Problem-while-using-ConsumeIMAP-processor/m-p/289278#M214152 Pr1 2020-02-06T19:59:52Z https://community.cloudera.com/t5/Support-Questions/Problem-while-using-ConsumeIMAP-processor/m-p/289287#M214153 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/73935">@Pr1</a>&nbsp;</P><P>&nbsp;</P><P>While I am not an IMAP expert, the exception you are seeing here:<BR /><BR /></P><P>PKIX path building failed.</P><P>unable to find valid certification path</P><P><BR />This is a TLS handshake exception telling you that the complete certificate trust chain does not exist in the keystore.&nbsp; On the NiFi side the complete trust chain would found in the NiFi truststore.jks.&nbsp; Note: If NiFi is not secured you may need to add the trust chain certs to the NiFI java's default cacerts keystore.<BR /><BR />You can use openssl to get the complete trust chain for the IMAP server you are trying to consume from:</P><LI-CODE lang="markup">openssl s_client -connect &lt;IMAP server&gt;:&lt;IMAP port&gt; -showcerts</LI-CODE><P><BR />In the server hello response returned from the IMAP server using above command, you will see multiple certificates.&nbsp; First certificate is the imap server's public certificate (you do not need this one).&nbsp; You will need all the public certificates that follow that server certificate.&nbsp; These will be your Signing CAs (there may be one or more in order of signing until you reach the rootCA). The rootCa is last and you will notice the owner and issuer DN is the same. Each certificate begins with:</P><LI-CODE lang="markup">-----BEGIN CERTIFICATE-----</LI-CODE><P><BR />and ends with:</P><LI-CODE lang="markup">-----END CERTIFICATE-----</LI-CODE><P>&nbsp;</P><P>So you want to copy each certificate including the above lines to separate files:<BR />Eaxamples:<BR />intermediate.pem, intermediate2.pem, rootCA.pem&nbsp;<BR /><BR />You can then use keytool to import these CAs in to your NiFi truststore.</P><LI-CODE lang="markup">keytool -importcert -alias &lt;alias usually based off CN name for certiifcate&gt; -file &lt;certificate.pem&gt; -keystore &lt;truststore.jks or java cacerts&gt; -trustcacerts</LI-CODE><P>Note: each certificate imported must use a unique alias.</P><P>&nbsp;</P><P>I recommend importing your certificates in the same order as they were listed in openssl response (importing the rootCA last).<BR /><BR />Restart your NiFi so it loads the modified keystore.<BR /><BR />Hope this helps resolve your trust chain issue,</P><P>Matt</P> Thu, 06 Feb 2020 15:21:08 GMT https://community.cloudera.com/t5/Support-Questions/Problem-while-using-ConsumeIMAP-processor/m-p/289287#M214153 MattWho 2020-02-06T15:21:08Z https://community.cloudera.com/t5/Support-Questions/Problem-while-using-ConsumeIMAP-processor/m-p/289726#M214424 <P>Thanks for your reply. This solution worked.</P> Thu, 13 Feb 2020 14:00:40 GMT https://community.cloudera.com/t5/Support-Questions/Problem-while-using-ConsumeIMAP-processor/m-p/289726#M214424 Pr1 2020-02-13T14:00:40Z