https://community.cloudera.com/t5/Support-Questions/Nifi-Kafka-Confluent-SSL-handshake-failed/m-p/348004#M235299 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/99271">@Alevc</a>&nbsp;<BR /><BR /></P><LI-CODE lang="markup">Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</LI-CODE><P>The above exception you are encountering with TLS is caused by a lack of a complete trust chain in the mutual TLS handshake.<BR /><BR />On each side (server and client) of your TLS connection, you will have a keystore containing a PrivateKey entry (Will support and extended key usage (EKU) of clientAuth, serverAuth, or both) that either your client or server will use to identify itself.&nbsp; &nbsp;That PrivateKey entry will have an owner and issuer DN associated with it.&nbsp; &nbsp;The issuer is the signer for the owner.&nbsp; Each side will also have a truststore (just another keystore by a different name containing a bunch of TrustedCertEntry(s)) that would need to contain the trustedCertEntry for the issuer/signer of your PrivateKeyEntry.&nbsp; It is also very common that the issuer/signer trustedCertEntry has an owner DN and Issuer DN that do not match. This means that that issuer was just an intermediate Certificate Authority (CA) and was issued/signed by another CA.&nbsp; As such the truststore would need to also contain the TrustedCertEntry for that next level issuer CA.&nbsp; This continues until you reach the root CA trustedCertEntry where the owner and issuer have the same DN.&nbsp; This is known as the rootCA for your PriavteKeyEntry.&nbsp; &nbsp;Having all the intermediate CA(s) and the root CA, means you have the complete trust chain in your truststore.&nbsp; This process applies in both directions in the mutual TSL handshake.&nbsp; Meaning your clientAuth certificate presented by your Kafka Consumer must have its complete trust chain in the Kafka servers truststore.&nbsp; And the ServerAuth certificate presented by your server must have its complete trust chain present in the truststore used by your client Kafka consumer.&nbsp;&nbsp;<BR /><BR /><EM><STRONG>Note:</STRONG></EM> I am over simplifying this mutual TLS handshake (private keys themselves are never shared and there is more in the server and client hello exchanges in the TLS handshake), but intent is to focus at a high level on what your issue is caused by specifically.<BR /><BR />So to get past your issue, you need to make sure the truststore used by your client and server side contain all the CAs trust chain trustedCertEntries.<BR /><BR /></P><P>If you found this response assisted with your query, please take a moment to login and click on "<STRONG>Accept as Solution</STRONG>" below this post.<BR /><BR />Thank you,</P><P>Matt</P><P><BR /><BR /></P> Mon, 18 Jul 2022 19:45:33 GMT MattWho 2022-07-18T19:45:33Z https://community.cloudera.com/t5/Support-Questions/Nifi-Kafka-Confluent-SSL-handshake-failed/m-p/347986#M235288 <P>Hi, I'm trying to make a kafka consumer working, but I am having this issue about SSL Handshake failed. Any ideas ?&nbsp;</P><P>&nbsp;</P><P>2022-07-18 14:00:45,216 INFO [NiFi Web Server-203] o.a.n.c.s.StandardProcessScheduler Starting ConsumeKafkaRecord_2_6[id=f5ee162d-1006-1181-c1d1-1d8a7293ffb7]<BR />2022-07-18 14:00:45,217 INFO [NiFi Web Server-203] o.a.n.controller.StandardProcessorNode Starting ConsumeKafkaRecord_2_6[id=f5ee162d-1006-1181-c1d1-1d8a7293ffb7]<BR />2022-07-18 14:00:45,217 INFO [Timer-Driven Process Thread-5] o.a.n.c.s.TimerDrivenSchedulingAgent Scheduled ConsumeKafkaRecord_2_6[id=f5ee162d-1006-1181-c1d1-1d8a7293ffb7] to run with 1 threads<BR />2022-07-18 14:00:45,219 INFO [Timer-Driven Process Thread-8] o.a.k.clients.consumer.ConsumerConfig ConsumerConfig values:<BR />allow.auto.create.topics = true<BR />auto.commit.interval.ms = 5000<BR />auto.offset.reset = latest<BR />bootstrap.servers = [bootstrap-url:9092]<BR />check.crcs = true<BR />client.dns.lookup = use_all_dns_ips<BR />client.id = consumer-integration.cubo-transactions-consumer-20<BR />client.rack =<BR />connections.max.idle.ms = 540000<BR />default.api.timeout.ms = 60000<BR />enable.auto.commit = false<BR />exclude.internal.topics = true<BR />fetch.max.bytes = 52428800<BR />fetch.max.wait.ms = 500<BR />fetch.min.bytes = 1<BR />group.id = integration.cubo-transactions-consumer<BR />group.instance.id = null<BR />heartbeat.interval.ms = 3000<BR />interceptor.classes = []<BR />internal.leave.group.on.close = true<BR />internal.throw.on.fetch.stable.offset.unsupported = false<BR />isolation.level = read_uncommitted<BR />key.deserializer = class org.apache.kafka.common.serialization.ByteArrayDeserializer<BR />max.partition.fetch.bytes = 1048576<BR />max.poll.interval.ms = 300000<BR />max.poll.records = 10000<BR />metadata.max.age.ms = 300000<BR />metric.reporters = []<BR />metrics.num.samples = 2<BR />metrics.recording.level = INFO<BR />metrics.sample.window.ms = 30000<BR />partition.assignment.strategy = [class org.apache.kafka.clients.consumer.RangeAssignor]<BR />receive.buffer.bytes = 65536<BR />reconnect.backoff.max.ms = 1000<BR />reconnect.backoff.ms = 50<BR />request.timeout.ms = 30000<BR />retry.backoff.ms = 100<BR />sasl.client.callback.handler.class = null<BR />sasl.jaas.config = [hidden]<BR />sasl.kerberos.kinit.cmd = /usr/bin/kinit<BR />sasl.kerberos.min.time.before.relogin = 60000<BR />sasl.kerberos.service.name = null<BR />sasl.kerberos.ticket.renew.jitter = 0.05<BR />sasl.kerberos.ticket.renew.window.factor = 0.8<BR />sasl.login.callback.handler.class = null<BR />sasl.login.class = null<BR />sasl.login.refresh.buffer.seconds = 300<BR />sasl.login.refresh.min.period.seconds = 60<BR />sasl.login.refresh.window.factor = 0.8<BR />sasl.login.refresh.window.jitter = 0.05<BR />sasl.mechanism = SCRAM-SHA-512<BR />security.protocol = SASL_SSL<BR />security.providers = null<BR />send.buffer.bytes = 131072<BR />session.timeout.ms = 10000<BR />ssl.cipher.suites = null<BR />ssl.enabled.protocols = [TLSv1.2]<BR />ssl.endpoint.identification.algorithm = https<BR />ssl.engine.factory.class = null<BR />ssl.key.password = null<BR />ssl.keymanager.algorithm = SunX509<BR />ssl.keystore.location = null<BR />ssl.keystore.password = null<BR />ssl.keystore.type = JKS<BR />ssl.protocol = TLSv1.2<BR />ssl.provider = null<BR />ssl.secure.random.implementation = null<BR />ssl.trustmanager.algorithm = PKIX<BR />ssl.truststore.location = /opt/nifi-toolkit-1.15.3/bin/target/CN=localhost_OU=NIFI.p12<BR />ssl.truststore.password = [hidden]<BR />ssl.truststore.type = PKCS12<BR />value.deserializer = class org.apache.kafka.common.serialization.ByteArrayDeserializer</P><P>2022-07-18 14:00:45,224 INFO [Timer-Driven Process Thread-8] o.a.k.c.s.authenticator.AbstractLogin Successfully logged in.<BR />2022-07-18 14:00:45,291 INFO [Timer-Driven Process Thread-8] o.a.kafka.common.utils.AppInfoParser Kafka version: 2.6.3<BR />2022-07-18 14:00:45,291 INFO [Timer-Driven Process Thread-8] o.a.kafka.common.utils.AppInfoParser Kafka commitId: c24cbd3f5eeffa1e<BR />2022-07-18 14:00:45,291 INFO [Timer-Driven Process Thread-8] o.a.kafka.common.utils.AppInfoParser Kafka startTimeMs: 1658163645291<BR />2022-07-18 14:00:45,291 INFO [Timer-Driven Process Thread-8] o.a.kafka.clients.consumer.KafkaConsumer [Consumer clientId=consumer-integration.cubo-transactions-consumer-20, groupId=integration.cubo-transactions-consumer] Subscribed to topic(s): integration.cubo-transactions<BR />2022-07-18 14:00:45,386 INFO [Flow Service Tasks Thread-1] o.a.nifi.controller.StandardFlowService Saved flow controller org.apache.nifi.controller.FlowController@558d7d23 // Another save pending = false<BR />2022-07-18 14:00:45,532 INFO [pool-9-thread-1] o.a.n.c.r.WriteAheadFlowFileRepository Initiating checkpoint of FlowFile Repository<BR />2022-07-18 14:00:45,532 INFO [pool-9-thread-1] o.a.n.c.r.WriteAheadFlowFileRepository Successfully checkpointed FlowFile Repository with 28 records in 0 milliseconds<BR />2022-07-18 14:00:47,314 INFO [Timer-Driven Process Thread-2] org.apache.kafka.common.network.Selector [Consumer clientId=consumer-integration.cubo-transactions-consumer-20, groupId=integration.cubo-transactions-consumer] Failed authentication with bootstrap-url (SSL handshake failed)<BR />2022-07-18 14:00:47,314 ERROR [Timer-Driven Process Thread-2] org.apache.kafka.clients.NetworkClient [Consumer clientId=consumer-integration.cubo-transactions-consumer-20, groupId=integration.cubo-transactions-consumer] Connection to node -1 (bootstrap-url:9092) failed authentication due to: SSL handshake failed<BR />2022-07-18 14:00:47,314 WARN [Timer-Driven Process Thread-2] org.apache.kafka.clients.NetworkClient [Consumer clientId=consumer-integration.cubo-transactions-consumer-20, groupId=integration.cubo-transactions-consumer] Bootstrap broker bootstrap-url:9092 (id: -1 rack: null) disconnected<BR />2022-07-18 14:00:47,315 ERROR [Timer-Driven Process Thread-2] o.a.n.p.k.pubsub.ConsumeKafkaRecord_2_6 ConsumeKafkaRecord_2_6[id=f5ee162d-1006-1181-c1d1-1d8a7293ffb7] Exception while interacting with Kafka so will close the lease org.apache.nifi.processors.kafka.pubsub.ConsumerPool$SimpleConsumerLease@6e83a054 due to org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target<BR />↳ causes: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target<BR />↳ causes: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target<BR />↳ causes: org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed<BR />org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed<BR />Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target<BR />at sun.security.ssl.Alert.createSSLException(Alert.java:131)<BR />at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)<BR />at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)<BR />at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)<BR />at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)<BR />at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)<BR />at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)<BR />at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)<BR />at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)<BR />at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981)<BR />at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)<BR />at java.security.AccessController.doPrivileged(Native Method)<BR />at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915)<BR />at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:430)<BR />at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:514)<BR />at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:368)<BR />at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:291)<BR />at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:173)<BR />at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547)<BR />at org.apache.kafka.common.network.Selector.poll(Selector.java:485)<BR />at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:547)<BR />at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:265)<BR />at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:236)<BR />at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:215)<BR />at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:245)<BR />at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:480)<BR />at org.apache.kafka.clients.consumer.KafkaConsumer.updateAssignmentMetadataIfNeeded(KafkaConsumer.java:1261)<BR />at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1230)<BR />at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1210)<BR />at org.apache.nifi.processors.kafka.pubsub.ConsumerLease.poll(ConsumerLease.java:190)<BR />at org.apache.nifi.processors.kafka.pubsub.ConsumeKafkaRecord_2_6.onTrigger(ConsumeKafkaRecord_2_6.java:488)<BR />at org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27)<BR />at org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1273)<BR />at org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:214)<BR />at org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:103)<BR />at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110)<BR />at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)<BR />at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)<BR />at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)<BR />at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)<BR />at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)<BR />at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)<BR />at java.lang.Thread.run(Thread.java:748)<BR />Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target<BR />at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)<BR />at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)<BR />at sun.security.validator.Validator.validate(Validator.java:271)<BR />at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)<BR />at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:278)<BR />at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)<BR />at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)<BR />... 38 common frames omitted<BR />Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target<BR />at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)<BR />at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)<BR />at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)<BR />at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)<BR />... 44 common frames omitted</P> Mon, 18 Jul 2022 17:19:26 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-Kafka-Confluent-SSL-handshake-failed/m-p/347986#M235288 Alevc 2022-07-18T17:19:26Z https://community.cloudera.com/t5/Support-Questions/Nifi-Kafka-Confluent-SSL-handshake-failed/m-p/348004#M235299 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/99271">@Alevc</a>&nbsp;<BR /><BR /></P><LI-CODE lang="markup">Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</LI-CODE><P>The above exception you are encountering with TLS is caused by a lack of a complete trust chain in the mutual TLS handshake.<BR /><BR />On each side (server and client) of your TLS connection, you will have a keystore containing a PrivateKey entry (Will support and extended key usage (EKU) of clientAuth, serverAuth, or both) that either your client or server will use to identify itself.&nbsp; &nbsp;That PrivateKey entry will have an owner and issuer DN associated with it.&nbsp; &nbsp;The issuer is the signer for the owner.&nbsp; Each side will also have a truststore (just another keystore by a different name containing a bunch of TrustedCertEntry(s)) that would need to contain the trustedCertEntry for the issuer/signer of your PrivateKeyEntry.&nbsp; It is also very common that the issuer/signer trustedCertEntry has an owner DN and Issuer DN that do not match. This means that that issuer was just an intermediate Certificate Authority (CA) and was issued/signed by another CA.&nbsp; As such the truststore would need to also contain the TrustedCertEntry for that next level issuer CA.&nbsp; This continues until you reach the root CA trustedCertEntry where the owner and issuer have the same DN.&nbsp; This is known as the rootCA for your PriavteKeyEntry.&nbsp; &nbsp;Having all the intermediate CA(s) and the root CA, means you have the complete trust chain in your truststore.&nbsp; This process applies in both directions in the mutual TSL handshake.&nbsp; Meaning your clientAuth certificate presented by your Kafka Consumer must have its complete trust chain in the Kafka servers truststore.&nbsp; And the ServerAuth certificate presented by your server must have its complete trust chain present in the truststore used by your client Kafka consumer.&nbsp;&nbsp;<BR /><BR /><EM><STRONG>Note:</STRONG></EM> I am over simplifying this mutual TLS handshake (private keys themselves are never shared and there is more in the server and client hello exchanges in the TLS handshake), but intent is to focus at a high level on what your issue is caused by specifically.<BR /><BR />So to get past your issue, you need to make sure the truststore used by your client and server side contain all the CAs trust chain trustedCertEntries.<BR /><BR /></P><P>If you found this response assisted with your query, please take a moment to login and click on "<STRONG>Accept as Solution</STRONG>" below this post.<BR /><BR />Thank you,</P><P>Matt</P><P><BR /><BR /></P> Mon, 18 Jul 2022 19:45:33 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-Kafka-Confluent-SSL-handshake-failed/m-p/348004#M235299 MattWho 2022-07-18T19:45:33Z https://community.cloudera.com/t5/Support-Questions/Nifi-Kafka-Confluent-SSL-handshake-failed/m-p/348012#M235302 <P>Hi Matt, thanks a lot for the explanation. I changed the&nbsp;path from truststore.jks to&nbsp;$JAVA_HOME<SPAN>\lib\security\cacerts</SPAN> on the&nbsp;<SPAN>StandardRestrictedSSLContextService settings , and worked fine !!!&nbsp;</SPAN></P> Mon, 18 Jul 2022 21:02:13 GMT https://community.cloudera.com/t5/Support-Questions/Nifi-Kafka-Confluent-SSL-handshake-failed/m-p/348012#M235302 Alevc 2022-07-18T21:02:13Z