Not valid SSL Certificate

Angelvillar — Thu, 25 Aug 2022 12:56:00 GMT

Hello, I could use some help...

I'm using GetHTTP and InvokeHTTP processors for reading certain indices in a elasticsearch database. The URL to this database is a HTTPS, my question is the following: Is it possible to run these processors leaving the SSL Context Service property as "No value" when you insert in the URL property a HTTPs?

If I do this I get the following error (InvokeHTTP processor):

InvokeHTTP[id=0e07115a-102e-1182-be33-467ed7f3f784] Yielding processor due to exception encountered as a source processor: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: {}

If I run a GET to this URL in postman with "Enable SSL certificate verification"=OFF it works. However, taking a look at the error It looks like Nifi requires the SSL certificate.

The problem is that if I download the certificate and import it as a trusted certificate in the KeyStore Explorer and use the SSL Context Service property I get the following error in Nifi:

InvokeHTTP[id=01821018-0e07-1153-5966-62a9d2f5c98e] Yielding processor due to exception encountered as a source processor: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: {}

This might be because the site is not safe and the downloaded certificate is not valid. I get the following alert when I introduce the URL in my search engine: Not trusted certificate.

Is there any way to solve this problem? How can I perform a GET in Nifi to an HTTPs without the SSL certificate?

Many thanks in advance for the help.

Re: Not valid SSL Certificate

Angelvillar — Fri, 26 Aug 2022 11:34:39 GMT

The security overview of the page is the following:

I would really appreciate some help

Re: Not valid SSL Certificate

steven-matison — Fri, 26 Aug 2022 12:39:23 GMT

@Angelvillar I would recommend that you create a SSL Context Service using javas cacerts as the keystore and truststore. If that doesnt work, THEN, try to make your own with the certs from the ELK server.

Here is a similar post with a lot more details of how that looks with cacerts and details for alternative custom keystore/trustore.

https://community.cloudera.com/t5/Support-Questions/Configure-StandardSSLContextService-for-Elasticsearch/m-p/302719

question Not valid SSL Certificate in Support Questions

Not valid SSL Certificate

Re: Not valid SSL Certificate

Re: Not valid SSL Certificate