https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Security-configuration-SSLHandshakeException-Received/m-p/194319#M73695 <A rel="user" href="https://community.cloudera.com/users/62158/andrewtwigg.html" nodeid="62158">@Andrew Twigg</A><P>Make sure that your keystore and certs meet the following:</P><P> - The keystore file used on each server contains only a single PrivateKeyEntry.</P><P> - The certificate in the keystore has an extended key usage that includes both client auth and server auth</P><P>Thank you,</P><P>Matt</P> Fri, 19 Jan 2018 22:35:05 GMT MattWho 2018-01-19T22:35:05Z https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Security-configuration-SSLHandshakeException-Received/m-p/194318#M73694 <P>We’re working on securing NiFi and I’m coming across an issue where I intermittently get an exception. The environment is a two-node NiFi cluster which is configured to authenticate users using LDAPS, and authorise them using the FileAccessPolicyProvider / FileUserGroupProvider which we plan to replace with LDAPS.</P><P>The login looks to be working. I think this is the authorisation part which is failing (although it works sometimes - before cluster voting completes). We have configured a certificate trust store for the CA (which is an internal CA), and a key store for the SSL cert.</P><P>Note: We're using a san cert for SSL.</P><P><IMG style="height:2.093in;width:6.229in" /></P><P>Exception is…</P><P>2018-01-19 08:41:23,999 WARN [Replicate Request Thread-9] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to 10.101.50.5:8443 due to com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown</P><P>2018-01-19 08:41:23,999 WARN [Replicate Request Thread-10] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to 10.101.50.4:8443 due to com.sun.jersey.api.client.ClientHandlerException: java.net.SocketException: Broken pipe (Write failed)</P><P>2018-01-19 08:41:24,000 WARN [Replicate Request Thread-9] o.a.n.c.c.h.r.ThreadPoolRequestReplicator</P><P>com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown</P><P> at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:155)</P><P> at com.sun.jersey.api.client.Client.handle(Client.java:652)</P><P> at com.sun.jersey.api.client.filter.GZIPContentEncodingFilter.handle(GZIPContentEncodingFilter.java:123)</P><P> at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682)</P><P> at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)</P><P> at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:509)</P><P> at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:641)</P><P> at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:852)</P><P> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)</P><P> at java.util.concurrent.FutureTask.run(FutureTask.java:266)</P><P> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)</P><P> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)</P><P> at java.lang.Thread.run(Thread.java:748)</P><P>Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown</P><P> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)</P><P> at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)</P><P> at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2033)</P><P> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)</P><P> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)</P><P> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)</P><P> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)</P><P> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)</P><P> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)</P><P> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)</P><P> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)</P><P> at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)</P><P> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:347)</P><P> at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:253)</P><P> at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:153)</P><P> ... 12 common frames omitted</P><P>2018-01-19 08:41:24,000 WARN [Replicate Request Thread-10] o.a.n.c.c.h.r.ThreadPoolRequestReplicator</P><P>com.sun.jersey.api.client.ClientHandlerException: java.net.SocketException: Broken pipe (Write failed)</P><P> at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:155)</P><P> at com.sun.jersey.api.client.Client.handle(Client.java:652)</P><P> at com.sun.jersey.api.client.filter.GZIPContentEncodingFilter.handle(GZIPContentEncodingFilter.java:123)</P><P> at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682)</P><P> at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)</P><P> at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:509)</P><P> at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:641)</P><P> at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:852)</P><P> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)</P><P> at java.util.concurrent.FutureTask.run(FutureTask.java:266)</P><P> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)</P><P> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)</P><P> at java.lang.Thread.run(Thread.java:748)</P><P>Caused by: java.net.SocketException: Broken pipe (Write failed)</P><P> at java.net.SocketOutputStream.socketWrite0(Native Method)</P><P> at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:111)</P><P> at java.net.SocketOutputStream.write(SocketOutputStream.java:155)</P><P> at sun.security.ssl.OutputRecord.writeBuffer(OutputRecord.java:431)</P><P> at sun.security.ssl.OutputRecord.write(OutputRecord.java:417)</P><P> at sun.security.ssl.SSLSocketImpl.writeRecordInternal(SSLSocketImpl.java:886)</P><P> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:857)</P><P> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:727)</P><P> at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1124)</P><P> at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1216)</P><P> at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1128)</P><P> at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)</P><P> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)</P><P> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)</P><P> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)</P><P> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)</P><P> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)</P><P> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)</P><P> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)</P><P> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)</P><P> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)</P><P> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)</P><P> at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)</P><P> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:347)</P><P> at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:253)</P><P> at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:153)</P><P> ... 12 common frames omitted</P><P>I’ve tried installing the CA into the /usr/java/jdk1.8.0_151/jre/lib/security/cacerts which didn’t solve the problem. I've also got the full CA in the keystore and the truststore.</P><P>I'm using the domain names as per the certificate in the nifi.properties file for nifi.web.https.host, and for authorizers.xml.</P><P>I couldn't seem to get any deeper info from the logging set as DEBUG.</P><P>Anyone have any ideas?</P><P>thanks</P> Fri, 19 Jan 2018 20:13:09 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Security-configuration-SSLHandshakeException-Received/m-p/194318#M73694 andrew_twigg 2018-01-19T20:13:09Z https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Security-configuration-SSLHandshakeException-Received/m-p/194319#M73695 <A rel="user" href="https://community.cloudera.com/users/62158/andrewtwigg.html" nodeid="62158">@Andrew Twigg</A><P>Make sure that your keystore and certs meet the following:</P><P> - The keystore file used on each server contains only a single PrivateKeyEntry.</P><P> - The certificate in the keystore has an extended key usage that includes both client auth and server auth</P><P>Thank you,</P><P>Matt</P> Fri, 19 Jan 2018 22:35:05 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Security-configuration-SSLHandshakeException-Received/m-p/194319#M73695 MattWho 2018-01-19T22:35:05Z https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Security-configuration-SSLHandshakeException-Received/m-p/194320#M73696 <P>Thanks for your response. This fixed the issue. </P> Tue, 23 Jan 2018 00:07:18 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Security-configuration-SSLHandshakeException-Received/m-p/194320#M73696 andrew_twigg 2018-01-23T00:07:18Z https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Security-configuration-SSLHandshakeException-Received/m-p/381691#M73697 <P>Ik had hetzelfde probleem en heb meerdere oplossingen geprobeerd die niet hielpen. Ik weet niet zeker waarom.</P> Fri, 05 Jan 2024 12:37:20 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Security-configuration-SSLHandshakeException-Received/m-p/381691#M73697 JamesZhang 2024-01-05T12:37:20Z https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Security-configuration-SSLHandshakeException-Received/m-p/381692#M73698 <P>2024-01-05 20:29:50,646 WARN [Replicate Request Thread-2] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/component-marks/classification to runtime-0.runtime-statefulset.default.svc.cluster.local:443 due to javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown<BR />2024-01-05 20:29:50,647 WARN [Replicate Request Thread-2] o.a.n.c.c.h.r.ThreadPoolRequestReplicator<BR />javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown<BR />at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)<BR />at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)<BR />at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038)<BR />at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)<BR />at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)<BR />at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)<BR />at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)<BR />at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)<BR />at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)<BR />at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)<BR />at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)<BR />at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)<BR />at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)<BR />at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)<BR />at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)<BR />at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)<BR />at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)<BR />at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)<BR />at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)<BR />at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)<BR />at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)<BR />at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)<BR />at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)<BR />at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)<BR />at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)<BR />at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)<BR />at okhttp3.RealCall.execute(RealCall.java:81)<BR />at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:122)<BR />at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:116)<BR />at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:629)<BR />at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:821)<BR />at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)<BR />at java.util.concurrent.FutureTask.run(FutureTask.java:266)<BR />at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)<BR />at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)<BR />at java.lang.Thread.run(Thread.java:748)</P> Fri, 05 Jan 2024 12:38:56 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Security-configuration-SSLHandshakeException-Received/m-p/381692#M73698 JamesZhang 2024-01-05T12:38:56Z https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Security-configuration-SSLHandshakeException-Received/m-p/381693#M73699 <DIV># keytool -list -v -keystore truststore.jks</DIV><DIV>Enter keystore password:</DIV><DIV>Keystore type: jks</DIV><DIV>Keystore provider: SUN</DIV><DIV>&nbsp;</DIV><DIV>Your keystore contains 1 entry</DIV><DIV>&nbsp;</DIV><DIV>Alias name: ca</DIV><DIV>Creation date: Jan 5, 2024</DIV><DIV>Entry type: trustedCertEntry</DIV><DIV>&nbsp;</DIV><DIV>Owner: CN=ca, OU=foo.com</DIV><DIV>Issuer: CN=ca, OU=foo.com</DIV><DIV>Serial number: ea7f96497446ec07</DIV><DIV>Valid from: Wed Dec 13 14:00:40 CST 2023 until: Sat Dec 10 14:00:40 CST 2033</DIV><DIV>Certificate fingerprints:</DIV><DIV><SPAN>MD5:&nbsp; D1:C7:A1:6A:A3:67:65:68:55:B5:6D:0E:74:21:80:71</SPAN></DIV><DIV><SPAN>SHA1: 64:60:26:22:94:08:24:BD:75:B7:23:B0:62:6C:3C:FF:A8:62:AB:47</SPAN></DIV><DIV><SPAN>SHA256: 37:45:27:2F:B9:A2:A4:40:FC:14:7B:82:CA:D6:57:9D:9D:11:D9:44:13:2F:CC:8D:33:BB:A9:C5:C6:FA:C0:57</SPAN></DIV><DIV>Signature algorithm name: SHA256withRSA</DIV><DIV>Subject Public Key Algorithm: 2048-bit RSA key</DIV><DIV>Version: 1</DIV> Fri, 05 Jan 2024 13:07:29 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Security-configuration-SSLHandshakeException-Received/m-p/381693#M73699 JamesZhang 2024-01-05T13:07:29Z https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Security-configuration-SSLHandshakeException-Received/m-p/381699#M73700 <P>Welcome the community&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/108607">@JamesZhang</a>&nbsp;</P> <P>As this is an older post, we recommend starting a new thread. The new thread will provide the opportunity to provide details specific to your environment that could aid others in providing a more accurate answer to your question.</P> Fri, 05 Jan 2024 17:45:33 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/NiFi-Security-configuration-SSLHandshakeException-Received/m-p/381699#M73700 cjervis 2024-01-05T17:45:33Z