question Re: How to use InvokeHTTP without SSL verification in Support Questions

How to use InvokeHTTP without SSL verification

vatodorov19 — Thu, 05 Nov 2020 19:09:33 GMT

How can I use InvokeHTTP without SSL verification? I followed this article on how to import the public certificate but that cert is not CA-signed, and InvokeHTTP doesn't work. Below is the error I get.

https://community.cloudera.com/t5/Support-Questions/Is-it-possible-to-provide-options-to-InvokeHTTP-nifi/m-p/236239

In InvokeHTTP, I'm using the StandardSSLContextService with the following configs:

Thanks.

Valentin

Re: How to use InvokeHTTP without SSL verification

stevenmatison — Mon, 09 Nov 2020 12:40:11 GMT

@vatodorov19 If the service you are connecting too is https, there is no way to use invokeHttp without SSL Verification. If the remote host is using a publicly signed cert, try using cacerts in your java location before trying to make keystores and truststores. If you do make keystores and truststores from the service's public or self signed certs you will need to make sure those certs are generated following best practices. For example: using a real hostname for the service and make sure you connect to the same hostname, not an ip or "resilient.localdomain".

If this answer resolves your issue or allows you to move forward, please choose to ACCEPT this solution and close this topic. If you have further dialogue on this topic please comment here or feel free to private message me. If you have new questions related to your Use Case please create separate topic and feel free to tag me in your post.

Thanks,

Steven

Re: How to use InvokeHTTP without SSL verification

vatodorov19 — Thu, 12 Nov 2020 14:55:14 GMT

Thanks @stevenmatison

Is there a plan to add a feature to InvokeHTTP to access hosts with a self-signed cert? It is very common for organizations to deploy internal hosts with localhost.localdomain certs, that are only accessible by the IP.

Re: How to use InvokeHTTP without SSL verification

stevenmatison — Thu, 12 Nov 2020 16:12:57 GMT

@vatodorov19 I have used tons of self signed certs and not had issues. Maybe you need to just adjust the method to create the self signed certs and/or the keystore and truststores based on known working nifi samples. SSL, Certs, Keystores, Versions, and SSL Context Services each are all very finicky so getting them right can be as easy as a config change, or adjustment in the commands to kick of cert/keystore creations.

Re: How to use InvokeHTTP without SSL verification

Althotta — Wed, 15 Jun 2022 08:23:35 GMT

I have used invokeHTTP in 1.12 version without SSL cert and works fine, however new version 1.16 doesn't. Any settings available to ignore?. Ex: I connect to SQL server with JDBCConnection with property trustServerCertificate=true; post which it works without certifcates.