question Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown in Support Questions

javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

JamesZhang — Mon, 08 Jan 2024 11:51:55 GMT

[begin_log]2024-01-08 18:57:00,406+0800|ERROR|pool-47-thread-1|o.s.s.s.TaskUtils$LoggingErrorHandler|Unexpected error occurred in scheduled task
org.springframework.web.client.HttpServerErrorException$InternalServerError: 500 Internal Server Error: "javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown"
at org.springframework.web.client.HttpServerErrorException.create(HttpServerErrorException.java:100)
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:170)
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:122)
at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63)
at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:825)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:783)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:717)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:608)
at com.orchsym.trace.alerts.api.timer.Timer.getBulletinBoardDTO(Timer.java:162)
at com.orchsym.trace.alerts.api.timer.Timer.getBulletinBoard(Timer.java:97)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:84)
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54)
at org.springframework.scheduling.concurrent.ReschedulingRunnable.run(ReschedulingRunnable.java:95)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)

[root@runtime-0 /opt/orchsym/runtime-ee/conf]# keytool -v -list -keystore /opt/orchsym/runtime/conf/keystore.jks

Enter keystore password:

Keystore type: jks

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: runtime-0.runtime-statefulset.default.svc.cluster.local

Creation date: Jan 8, 2024

Entry type: PrivateKeyEntry

Certificate chain length: 2

Certificate[1]:

Owner: CN=runtime-0.runtime-statefulset.default.svc.cluster.local, OU=orchsym.com

Issuer: CN=ca, OU=orchsym.com

Serial number: 94c5135f0b3a7f0e

Valid from: Mon Jan 08 18:23:42 CST 2024 until: Thu May 25 18:23:42 CST 2051

Certificate fingerprints:

MD5: E3:D3:83:10:FF:A2:56:CE:41:A5:8E:BF:66:B6:97:06

SHA1: 10:00:6B:63:E5:FB:C0:CE:79:B1:AD:BF:07:D7:A1:AD:C1:56:E2:2A

SHA256: C1:B1:5D:D1:EA:5A:1F:64:CB:5A:BE:31:D9:EC:4C:31:90:37:22:7B:9D:B1:CC:66:F6:B3:09:81:34:EB:1E:BD

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [

serverAuth

clientAuth

]

#2: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

DNSName: runtime-0.runtime-statefulset.default.svc.cluster.local

]

Certificate[2]:

Owner: CN=ca, OU=orchsym.com

Issuer: CN=ca, OU=orchsym.com

Serial number: ea7f96497446ec07

Valid from: Wed Dec 13 14:00:40 CST 2023 until: Sat Dec 10 14:00:40 CST 2033

Certificate fingerprints:

MD5: D1:C7:A1:6A:A3:67:65:68:55:B5:6D:0E:74:21:80:71

SHA1: 64:60:26:22:94:08:24:BD:75:B7:23:B0:62:6C:3C:FF:A8:62:AB:47

SHA256: 37:45:27:2F:B9:A2:A4:40:FC:14:7B:82:CA:D6:57:9D:9D:11:D9:44:13:2F:CC:8D:33:BB:A9:C5:C6:FA:C0:57

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 1

*******************************************

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/orchsym/runtime/conf/keystore.jks -destkeystore /opt/orchsym/runtime/conf/keystore.jks -deststoretype pkcs12".

Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

MattWho — Mon, 08 Jan 2024 14:06:36 GMT

@JamesZhang

I feel there are a lot of details missing here that may help you get a better response.
I see you added the "Apache NiFi" label, so assuming you are seeing this exception some how related to NiFi?

javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

Above is telling you that you have some TLS exchange issue related to some certificates somewhere. I am assuming the verbose output you shared is for the keystore configured in your NiFi's nifi.properties file?

With and TLS exchange there is a client and a server side of that exchange and the keystore and truststores on both side of that exchange along with the type of TLS exchange (TLS or MutualTLS) matters.

Initial questions;
1. Where are you seeing this exception? What action is being performed when the exception occurs?
2. What TLS exchange is failing as a result of it?

Thank you,
Matt

Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

JamesZhang — Mon, 08 Jan 2024 14:55:16 GMT

I set up a two node nifi cluster. and https and username and password authentication is enabled.

When I was accessing the nifi and cut the login he gave me Received fatal alert: certificate_unknown

Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

JamesZhang — Mon, 08 Jan 2024 14:56:21 GMT

When I was accessing the nifi and cut the login he gave me Received fatal alert: certificate_unknown

Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

JamesZhang — Mon, 08 Jan 2024 14:58:03 GMT

Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

JamesZhang — Mon, 08 Jan 2024 15:00:58 GMT

2024-01-08 22:59:04,191 DEBUG [Replicate Request Thread-5] o.a.n.c.c.h.r.o.OkHttpReplicationClient Replicating request OkHttpPreparedRequest[method=GET, headers={sec-fetch-site=same-origin, X-Request-ID=cefa0de909293ecff62ec11a567a7bf5, purpose=prefetch, User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, Accept-Encoding=gzip, deflate, br, locale=zh, sec-ch-ua-mobile=?0, X-ProxiedEntitiesChain=<admin@orchsym.com>, Content-Encoding=gzip, X-RequestTransactionId=46b8f4dd-346d-4969-b013-0318b425a5e8, X-Real-IP=172.18.153.98, sec-fetch-mode=cors, Cookie=INGRESSCOOKIE=1704456109.379.3262.11429|138638da7f02469ffa15ce137684f175; authMode=token; oidc-request-rfid=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1MHlDcUI4MlVQMV9NS3B3aUljLVhXQmNNUWxybkJPLUM4dmdJZnUxUmFvIn0.eyJqdGkiOiI3NTI1MDJhMy04YjIyLTQzNDAtOThlMC1hYzY3YmY5MzBhNDciLCJleHAiOjE3MDQ3NjE1MDEsIm5iZiI6MCwiaWF0IjoxNzA0NzI1NTAxLCJpc3MiOiJodHRwczovLzE3Mi4xOC4xNTcuMjM1OjgyODMvYXV0aC9yZWFsbXMvYmFpc2hhbmNsb3VkIiwiYXVkIjoicnVudGltZS1rdWJlIiwic3ViIjoiMDczNzNlNDMtNmY2NC00ZDlhLTg1ZDQtZWRkNTA2NjJkNjIwIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InJ1bnRpbWUta3ViZSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjkxMDAyZDUyLTczNzEtNGJmYy04NTU2LWVkNDEzYjg0OTM1NCIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSJ9.AXI1uDJV629yce--7C_hIeKUdpSjkIWaeqm4_Ove_IMz4oMroPIYCBvKiF_XZ1u46uSxhGMz0DN5zhx3UwgYjo7OcofW6HtNolAgaCcfQU2rK_rMtb1VX3DfUAe6spyg0RwU6o08-5bRtd8vfH9S7ASIMO6dA3wD_o9bXlWGI7i4V2_mm-rnvm7qmC1e10xefu7Qhcq3g6dHh0tJcY6jFDNTBGS3qG9lME4y0E6FgrxlIr9vNtEqOIVHAa2MDLtXnJJnn9SHTBERsx-2T7wWmLKr_d_p3Cj62MvJeFEPMaPlZ3DANWx32dip4R9Y55DlzivEyAxSAyMm__QEFNPiXg, Accept=*/*, X-Forwarded-Host=runtime.irybd.com, X-Forwarded-Proto=https, Referer=https://runtime.irybd.com/runtime, X-Forwarded-Port=443, sec-ch-ua="Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120", X-ProxyHost=runtime.irybd.com, sec-ch-ua-platform="macOS", X-Forwarded-For=172.18.153.98, Accept-Language=en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7, X-Forwarded-Scheme=https, X-Scheme=https, sec-purpose=prefetch;prerender, sec-fetch-dest=empty}] to https://runtime-1.runtime-statefulset.default.svc.cluster.local:443/nifi-api/flow/current-user
2024-01-08 22:59:04,219 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to runtime-1.runtime-statefulset.default.svc.cluster.local:443 due to javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
2024-01-08 22:59:04,219 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to runtime-1.runtime-statefulset.default.svc.cluster.local:443 due to javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
2024-01-08 22:59:04,219 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1779)
at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124)
at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1156)
at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1266)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1178)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
at okhttp3.RealCall.execute(RealCall.java:81)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:122)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:116)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:629)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:821)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
2024-01-08 22:59:04,219 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1779)
at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124)
at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1156)
at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1266)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1178)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
at okhttp3.RealCall.execute(RealCall.java:81)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:122)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:116)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:629)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:821)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)

Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

MattWho — Mon, 08 Jan 2024 17:19:33 GMT

@JamesZhang

Not sure what "cut the login" means in your response.

When you access the NiFI URL, are you being redirected to the NiFi login window or do you encounter the unknown certificate exception immediately?

Where did you get the certificates you are using?
Did you add the Certificate Authority CA trust chain public certificates to the list of trusted authorities in the browser you are using to connect to NiFi?

Thanks,
Matt

Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

MattWho — Mon, 08 Jan 2024 20:30:39 GMT

@JamesZhang

What is the verbose output for your configured truststore?

Does it contain the TrustedCertEntry for your Certificate Authority (CA) that signed the PrivateKey in your keystore?

The keystore you shared has:

DNSName: runtime-0.runtime-statefulset.default.svc.cluster.local

The log output you shared is failing on the mutualTLS handshake with another node in your NiFi cluster when the request to get current user is replicated to all nodes in your NiFi cluster.

runtime-1.runtime-statefulset.default.svc.cluster.local

All inter node communication require successful mutualTLS exchanges.
Did you create a separate certificate for the other node? Is it signed by same CA?

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

JamesZhang — Tue, 09 Jan 2024 03:31:06 GMT

Yes, all other nodes are issued with the same CA certificate.

Here are the details of my certificate：

runtime-0 node：

[root@runtime-0 /opt/orchsym/runtime-ee/conf]# keytool -v -list -keystore keystore.jks

Enter keystore password:

Keystore type: jks

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: runtime-0.runtime-statefulseheadless.default.svc.cluster.local

Creation date: Jan 9, 2024

Entry type: PrivateKeyEntry

Certificate chain length: 2

Certificate[1]:

Owner: CN=runtime-0.runtime-statefulseheadless.default.svc.cluster.local, OU=orchsym.com

Issuer: CN=ca, OU=orchsym.com

Serial number: 95a5fed51b7682f7

Valid from: Tue Jan 09 11:28:46 CST 2024 until: Fri May 26 11:28:46 CST 2051

Certificate fingerprints:

MD5: F5:47:4A:ED:84:39:A6:CE:2E:3F:66:E2:9F:13:85:CF

SHA1: C4:B8:DB:86:AB:7C:7F:60:16:7B:02:64:67:E0:82:67:65:F9:C9:55

SHA256: 54:55:A1:C6:BE:5F:F4:2A:8B:AB:05:F1:23:A6:AF:62:3F:4C:1F:97:F7:86:CD:7F:44:27:82:AA:28:78:D6:B5

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [

serverAuth

clientAuth

]

#2: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

DNSName: runtime-0.runtime-statefulseheadless.default.svc.cluster.local

]

Certificate[2]:

Owner: CN=ca, OU=orchsym.com

Issuer: CN=ca, OU=orchsym.com

Serial number: d7621b97728d0ce0

Valid from: Mon Jan 08 23:50:34 CST 2024 until: Thu Jan 05 23:50:34 CST 2034

Certificate fingerprints:

MD5: 66:8E:AA:A6:9B:66:E8:48:43:F0:AB:EF:7C:4A:28:09

SHA1: DD:EB:20:4E:D1:39:86:87:65:21:6D:BF:8A:FE:35:CB:EB:80:6D:75

SHA256: AE:F6:10:DE:50:D2:B2:08:A9:7E:BC:1F:21:89:B7:D4:AD:DB:02:C5:E3:C3:B4:38:FF:28:61:07:A9:EB:B9:4D

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 65 39 FC E5 58 02 CC 39 56 0E 9B F4 A4 EE BB AC e9..X..9V.......

0010: B9 FC E9 B3 ....

]

#2: ObjectId: 2.5.29.19 Criticality=false

BasicConstraints:[

CA:true

PathLen:2147483647

]

#3: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 65 39 FC E5 58 02 CC 39 56 0E 9B F4 A4 EE BB AC e9..X..9V.......

0010: B9 FC E9 B3 ....

]

*******************************************

[root@runtime-0 /opt/orchsym/runtime-ee/conf]# keytool -v -list -keystore truststore.jks

Enter keystore password:

Keystore type: jks

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: ca

Creation date: Jan 9, 2024

Entry type: trustedCertEntry

Owner: CN=ca, OU=orchsym.com

Issuer: CN=ca, OU=orchsym.com

Serial number: d7621b97728d0ce0

Valid from: Mon Jan 08 23:50:34 CST 2024 until: Thu Jan 05 23:50:34 CST 2034

Certificate fingerprints:

MD5: 66:8E:AA:A6:9B:66:E8:48:43:F0:AB:EF:7C:4A:28:09

SHA1: DD:EB:20:4E:D1:39:86:87:65:21:6D:BF:8A:FE:35:CB:EB:80:6D:75

SHA256: AE:F6:10:DE:50:D2:B2:08:A9:7E:BC:1F:21:89:B7:D4:AD:DB:02:C5:E3:C3:B4:38:FF:28:61:07:A9:EB:B9:4D

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 65 39 FC E5 58 02 CC 39 56 0E 9B F4 A4 EE BB AC e9..X..9V.......

0010: B9 FC E9 B3 ....

]

#2: ObjectId: 2.5.29.19 Criticality=false

BasicConstraints:[

CA:true

PathLen:2147483647

]

#3: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 65 39 FC E5 58 02 CC 39 56 0E 9B F4 A4 EE BB AC e9..X..9V.......

0010: B9 FC E9 B3 ....

]

*******************************************

runtime-1 node：

[root@runtime-1 /opt/orchsym/runtime-ee/conf]# keytool -v -list -keystore keystore.jks

Enter keystore password:

Keystore type: jks

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: runtime-1.runtime-statefulseheadless.default.svc.cluster.local

Creation date: Jan 9, 2024

Entry type: PrivateKeyEntry

Certificate chain length: 2

Certificate[1]:

Owner: CN=runtime-1.runtime-statefulseheadless.default.svc.cluster.local, OU=orchsym.com

Issuer: CN=ca, OU=orchsym.com

Serial number: daf0d7df943156cf

Valid from: Tue Jan 09 11:28:51 CST 2024 until: Fri May 26 11:28:51 CST 2051

Certificate fingerprints:

MD5: 75:3E:10:50:EB:4E:47:CE:8C:0C:F2:D5:AE:9D:99:44

SHA1: 7D:A4:B0:07:CA:F1:D2:39:42:EE:91:A7:68:02:92:E1:5D:75:CF:D6

SHA256: 05:7E:8A:AC:0C:9B:EE:AE:F9:41:44:AF:69:66:50:8D:32:83:77:48:CC:2F:9D:91:35:33:B4:2D:2A:47:61:E2

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [

serverAuth

clientAuth

]

#2: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

DNSName: runtime-1.runtime-statefulseheadless.default.svc.cluster.local

]

Certificate[2]:

Owner: CN=ca, OU=orchsym.com

Issuer: CN=ca, OU=orchsym.com

Serial number: d7621b97728d0ce0

Valid from: Mon Jan 08 23:50:34 CST 2024 until: Thu Jan 05 23:50:34 CST 2034

Certificate fingerprints:

MD5: 66:8E:AA:A6:9B:66:E8:48:43:F0:AB:EF:7C:4A:28:09

SHA1: DD:EB:20:4E:D1:39:86:87:65:21:6D:BF:8A:FE:35:CB:EB:80:6D:75

SHA256: AE:F6:10:DE:50:D2:B2:08:A9:7E:BC:1F:21:89:B7:D4:AD:DB:02:C5:E3:C3:B4:38:FF:28:61:07:A9:EB:B9:4D

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 65 39 FC E5 58 02 CC 39 56 0E 9B F4 A4 EE BB AC e9..X..9V.......

0010: B9 FC E9 B3 ....

]

#2: ObjectId: 2.5.29.19 Criticality=false

BasicConstraints:[

CA:true

PathLen:2147483647

]

#3: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 65 39 FC E5 58 02 CC 39 56 0E 9B F4 A4 EE BB AC e9..X..9V.......

0010: B9 FC E9 B3 ....

]

*******************************************

[root@runtime-1 /opt/orchsym/runtime-ee/conf]# keytool -v -list -keystore truststore.jks

Enter keystore password:

Keystore type: jks

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: ca

Creation date: Jan 9, 2024

Entry type: trustedCertEntry

Owner: CN=ca, OU=orchsym.com

Issuer: CN=ca, OU=orchsym.com

Serial number: d7621b97728d0ce0

Valid from: Mon Jan 08 23:50:34 CST 2024 until: Thu Jan 05 23:50:34 CST 2034

Certificate fingerprints:

MD5: 66:8E:AA:A6:9B:66:E8:48:43:F0:AB:EF:7C:4A:28:09

SHA1: DD:EB:20:4E:D1:39:86:87:65:21:6D:BF:8A:FE:35:CB:EB:80:6D:75

SHA256: AE:F6:10:DE:50:D2:B2:08:A9:7E:BC:1F:21:89:B7:D4:AD:DB:02:C5:E3:C3:B4:38:FF:28:61:07:A9:EB:B9:4D

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 65 39 FC E5 58 02 CC 39 56 0E 9B F4 A4 EE BB AC e9..X..9V.......

0010: B9 FC E9 B3 ....

]

#2: ObjectId: 2.5.29.19 Criticality=false

BasicConstraints:[

CA:true

PathLen:2147483647

]

#3: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 65 39 FC E5 58 02 CC 39 56 0E 9B F4 A4 EE BB AC e9..X..9V.......

0010: B9 FC E9 B3 ....

]

*******************************************

Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

JamesZhang — Tue, 09 Jan 2024 03:33:38 GMT

Ignore the difference between runtime-0.runtime-statefulset.default.svc.cluster.local and runtime-0.runtime-statefulseheadless.default.svc.cluster.local, because I'm putting the dns of the current cluster node from the former to the latter.

Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

JamesZhang — Tue, 09 Jan 2024 03:34:16 GMT

It was after I logged in that the problem occurred.

Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

MattWho — Tue, 09 Jan 2024 15:03:40 GMT

@JamesZhang

The logs shared indicate a TLS exchange issue.

Have you looked at the output of openssl to see what your running NiFi responds with:

openssl s_client -connect runtime-0.runtime-statefulset.default.svc.cluster.local:443 -showcerts

and

openssl s_client -connect runtime-1.runtime-statefulset.default.svc.cluster.local:443 -showcerts

Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

JamesZhang — Tue, 09 Jan 2024 17:15:20 GMT

[root@runtime-1 /opt/orchsym/runtime-ee]# openssl s_client -connect runtime-0.runtime-statefulset.default.svc.cluster.local:443 -showcerts
CONNECTED(00000003)
depth=1 OU = orchsym.com, CN = ca
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/OU=orchsym.com/CN=runtime-0.runtime-statefulset.default.svc.cluster.local
i:/OU=orchsym.com/CN=ca
-----BEGIN CERTIFICATE-----
MIIDZTCCAk2gAwIBAgIJAMjrw8P09eTSMA0GCSqGSIb3DQEBCwUAMCMxFDASBgNV
BAsMC29yY2hzeW0uY29tMQswCQYDVQQDDAJjYTAgFw0yNDAxMDkxNzAwMzVaGA8y
MDUxMDUyNjE3MDAzNVowWDEUMBIGA1UECwwLb3JjaHN5bS5jb20xQDA+BgNVBAMM
N3J1bnRpbWUtMC5ydW50aW1lLXN0YXRlZnVsc2V0LmRlZmF1bHQuc3ZjLmNsdXN0
ZXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYDBOx7r3e
33zFDM8VilMZU4J/oWYKUe0eesd9gWsqIMUm26/ImQVN0aQIrOylLOLftcEXkQp8
BAkuo+IgbBzoQBEqDmHsktwcLld+04tRQMijL7RbieqN0sMqoHs/XRdB7bhfel73
ffnBQ2nctZCynuTQ7aem5ubzKMm5oQRPXPB5jJ3A5FwKy/F4lpdJsEZRVVohl0xt
kTIxpxvEu8OpuElajh34Lhn59yVNS4qkubsOE7ll+RPzHve0YeuUZXEjK41N3zLI
zNe5HDVGYpI6sQdGinY/u+2lP5Vm7LDFm67PjT/LfrQ/g5CRzo1dHxyniN0zuSg2
VTIV94Z8takhAgMBAAGjZTBjMEIGA1UdEQQ7MDmCN3J1bnRpbWUtMC5ydW50aW1l
LXN0YXRlZnVsc2V0LmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQDFAmP0YLbN
Cy0d/QPiXYhbOLWEGC+/Y1xMMIxfo6uxlhThp97IU0AFk9Q9sC/DTZ092+Mccp3w
eImOswQWiHjT+CKYpwpgnD5lQLf1l/6WNT/ffnRoCVH/iq6kkRp38KUI0l205kAw
2ZKlbS8AC1GC6U4ZEETgUjN1kSbgo3iA6oq9RKd0vi9gC3OfZg9NeSUGbil1rFrt
9jtGQgqu0WGe/mVFJ6wqS4yXvSavAVCpm7AQh00CwgtCGTIZ/zZmO9YtW/LwdTfC
h80ypeUVyekzpFANNPSjMp2JgP4PuwUX+RITq86n2biIQAgPf5KgGvvOgd4cEY2w
E6m0oHH8zgY0
-----END CERTIFICATE-----
1 s:/OU=orchsym.com/CN=ca
i:/OU=orchsym.com/CN=ca
-----BEGIN CERTIFICATE-----
MIIDGTCCAgGgAwIBAgIJANdiG5dyjQzgMA0GCSqGSIb3DQEBCwUAMCMxFDASBgNV
BAsMC29yY2hzeW0uY29tMQswCQYDVQQDDAJjYTAeFw0yNDAxMDgxNTUwMzRaFw0z
NDAxMDUxNTUwMzRaMCMxFDASBgNVBAsMC29yY2hzeW0uY29tMQswCQYDVQQDDAJj
YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANsBJ0dfZkk1efw2EgKt
3b8AynVDq3B/UKRmtkVJmvH+Ja4lfqlpcZMO8L4cCNOHJzEPHFSitlQoagTmiBL0
axnrd5upk3UlM/JctZOCBVwR9d2t0RE6Z7P7HAaFyxJXGj7oYC7xjYxuVVuN56B9
BTZWX6X9k2Dz659cTsLsQGc0Uf69chuUvN0kycm3DpKBRVSg2kc8e9Rbnn+w69J6
fE6goEixE5ysZAwzDTUHnx9GiRI0l8BEOqki8yoGahRZzEBw3OpWfvStqfXROMN/
+mPzN9EHAowyNGLbjbusmDAsJ7ojB39klxm8qvUDY71sVY7stGoCUxXLvTRgXAct
xo0CAwEAAaNQME4wHQYDVR0OBBYEFGU5/OVYAsw5Vg6b9KTuu6y5/OmzMB8GA1Ud
IwQYMBaAFGU5/OVYAsw5Vg6b9KTuu6y5/OmzMAwGA1UdEwQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggEBAKnim+IdTeDy7KmWZxAyj2qGyz/cSK2dqkYU1iLcc492mXFU
RtD+ZTI7zGOFfZ1i7TIX7+Or2SjJ1EeCBUJLVt0nHnESWQR7TlTn03wFwLyf95Bd
3e+OqDUdj3DhWp1bfb0JIbWBA6nLBNLOjgCjpV/X8m9o0+3E6FV/zjbjUNlpZXra
Gwmi839Ko+9KX/44tTgLMQKB34H28k4HBnunnD/GUImXYchzeSnlmFpheKQ0/MVM
LVDSX3BZFPpImmmaqithUOT+MRRfQL/MRpVqLy1oja5RVpP+kKPZxo2p9wn3heyP
PjaC4NSkV6E4hdddOkVIz01jO9Bxse9aCpfPo34=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=orchsym.com/CN=runtime-0.runtime-statefulset.default.svc.cluster.local
issuer=/OU=orchsym.com/CN=ca
---
Acceptable client certificate CA names
/OU=orchsym.com/CN=ca
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2290 bytes and written 483 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 659D7F10CB1256340096AE6B793A0EF99256807F5742D7B70EC637F0C1C8B5B6
Session-ID-ctx:
Master-Key: 3954CAAFF578E3D28D47394B42DBD2CE432D0D86C1D2C1D560BB2AF1E6AF982E812B40AD0D6142A2990622726C4B5399
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1704820496
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---

Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

JamesZhang — Tue, 09 Jan 2024 17:15:43 GMT

[root@runtime-1 /opt/orchsym/runtime-ee]# openssl s_client -connect runtime-1.runtime-statefulset.default.svc.cluster.local:443 -showcerts
CONNECTED(00000003)
depth=1 OU = orchsym.com, CN = ca
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/OU=orchsym.com/CN=runtime-1.runtime-statefulset.default.svc.cluster.local
i:/OU=orchsym.com/CN=ca
-----BEGIN CERTIFICATE-----
MIIDZTCCAk2gAwIBAgIJAOda8vSMjty7MA0GCSqGSIb3DQEBCwUAMCMxFDASBgNV
BAsMC29yY2hzeW0uY29tMQswCQYDVQQDDAJjYTAgFw0yNDAxMDkxNjU5NTlaGA8y
MDUxMDUyNjE2NTk1OVowWDEUMBIGA1UECwwLb3JjaHN5bS5jb20xQDA+BgNVBAMM
N3J1bnRpbWUtMS5ydW50aW1lLXN0YXRlZnVsc2V0LmRlZmF1bHQuc3ZjLmNsdXN0
ZXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiqFVT+BcV
L/7RdRz26cXeUw8ifP3omnTm3f4MzRHOOvlJMqQaoUdsDTooReYl4uF07vPmewGG
iOKhU4R4veucf9WNIzCY52PaDlcnPDcQhJisytHK+L+Cca5kNZ+eUzk8ywe5zR1a
t760THdweuHNeh9UaKkXgjDu0XdWh80VQ2rWOrbsJzikyUlAZ7olV/boGXD05EtX
mUG0a5K9KOccPn7HLOv3nOas0fqWDj2bYhxhCU8dwT2LaiNbsIyph7INZGp8ZxzT
T70ZpDJKguzGOSZwRTEyvCC3CjqjS4CWPB5RPQEYKHrPc0t5bXuixToITySgIX1/
BPL8RxftkpDFAgMBAAGjZTBjMEIGA1UdEQQ7MDmCN3J1bnRpbWUtMS5ydW50aW1l
LXN0YXRlZnVsc2V0LmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCS1zXSEU72
GF7K9L6Cjdc9dTB8/+d31IDPzQBPwtBTjHODz3PSYCaXnf08CZzEcM4KrzXrBfeM
LFjRnfD7tpM06hfRAqnACfAF5I9M6P6tXopaTQ5YOHerDnJJgvStdYd0yAh19/zu
8+Qvmjd5bdZ1h9adA1wXbvWfL1hEbJUHs/Zjx0qDYP4R06pM+TR6SbjCNxqvsJDJ
8ELpNp8Ykda7ht0vFqILAhJgNK4OV6Akklfv/Tkk0KXTMmws/tLfhz+MuLu/uj2f
p0BHlwUniIo2IthM0DAOSBJblZhGdCbMeNh2SiLMQ1Xg2QX3L0g5CZK84TRnnuKH
MNWaCMfYo6Yv
-----END CERTIFICATE-----
1 s:/OU=orchsym.com/CN=ca
i:/OU=orchsym.com/CN=ca
-----BEGIN CERTIFICATE-----
MIIDGTCCAgGgAwIBAgIJANdiG5dyjQzgMA0GCSqGSIb3DQEBCwUAMCMxFDASBgNV
BAsMC29yY2hzeW0uY29tMQswCQYDVQQDDAJjYTAeFw0yNDAxMDgxNTUwMzRaFw0z
NDAxMDUxNTUwMzRaMCMxFDASBgNVBAsMC29yY2hzeW0uY29tMQswCQYDVQQDDAJj
YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANsBJ0dfZkk1efw2EgKt
3b8AynVDq3B/UKRmtkVJmvH+Ja4lfqlpcZMO8L4cCNOHJzEPHFSitlQoagTmiBL0
axnrd5upk3UlM/JctZOCBVwR9d2t0RE6Z7P7HAaFyxJXGj7oYC7xjYxuVVuN56B9
BTZWX6X9k2Dz659cTsLsQGc0Uf69chuUvN0kycm3DpKBRVSg2kc8e9Rbnn+w69J6
fE6goEixE5ysZAwzDTUHnx9GiRI0l8BEOqki8yoGahRZzEBw3OpWfvStqfXROMN/
+mPzN9EHAowyNGLbjbusmDAsJ7ojB39klxm8qvUDY71sVY7stGoCUxXLvTRgXAct
xo0CAwEAAaNQME4wHQYDVR0OBBYEFGU5/OVYAsw5Vg6b9KTuu6y5/OmzMB8GA1Ud
IwQYMBaAFGU5/OVYAsw5Vg6b9KTuu6y5/OmzMAwGA1UdEwQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggEBAKnim+IdTeDy7KmWZxAyj2qGyz/cSK2dqkYU1iLcc492mXFU
RtD+ZTI7zGOFfZ1i7TIX7+Or2SjJ1EeCBUJLVt0nHnESWQR7TlTn03wFwLyf95Bd
3e+OqDUdj3DhWp1bfb0JIbWBA6nLBNLOjgCjpV/X8m9o0+3E6FV/zjbjUNlpZXra
Gwmi839Ko+9KX/44tTgLMQKB34H28k4HBnunnD/GUImXYchzeSnlmFpheKQ0/MVM
LVDSX3BZFPpImmmaqithUOT+MRRfQL/MRpVqLy1oja5RVpP+kKPZxo2p9wn3heyP
PjaC4NSkV6E4hdddOkVIz01jO9Bxse9aCpfPo34=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=orchsym.com/CN=runtime-1.runtime-statefulset.default.svc.cluster.local
issuer=/OU=orchsym.com/CN=ca
---
Acceptable client certificate CA names
/OU=orchsym.com/CN=ca
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2290 bytes and written 483 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 659D7F31DA4A0985B0E70BC8EBF9000310D5D5959F18ADB88E42283E98010508
Session-ID-ctx:
Master-Key: 0E9CE0E6F358A489908FA748D77876B1A66B6D8FDF9BC906BEC55442700D0A59EBF62AED6A88D42FD4FF4A375BBE1438
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1704820529
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---

Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

JamesZhang — Tue, 09 Jan 2024 17:17:25 GMT

I've looked at its output via openssl and it indicates a self-signed certificate for the grant.

The output I fed back above. I don't know if you have viewed any errors that I haven't noticed.

Re: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

MattWho — Thu, 11 Jan 2024 21:22:53 GMT

@JamesZhang

Certainly a challenging issue you have here. The shared output all points to good certificates, but gets you no closer to why the mutualTLS exchange between your two Nifi nodes is no yielding a successful mutual TLS handshake.

I guess I would start by looking at the configuration of NiFi on both nodes to make sure configurations in the nifi.properties files on both nodes match. Verify that both nodes NiFi's are using same Java version. You may need to look at the network traffic between both nodes as well. Is there some device (load balancer, firewall, etc) between those nodes on the network that may be interfering with the certificate exchange.

Matt