Community Articles

Find and share helpful community-sourced technical articles.
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.
Labels (1)
Cloudera Employee

Connect source (nifi) and destination (nifi) via site-to-site over SSL (https - 9091 port)

NiFi Site to Site SSLHandShakeException PKIX path building failed - Missing TrustStore Certs

Root cause:
Nifi truststores missing certificates of other Nifi

Steps Taken:
1. Run
following command to get the list of Certificates in current Nifi TrustStore

keytool -v -list -keystore <trustStoreLocation>

2. If no certs that belong to target Nifi are found then we can proceed with installing the target Nifi cert
3. Run following command to get the target Nifi public certificate

echo -n|openssl s_client -connect <targetNiFiHostName>:9091 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt

3. Run following command to get the target Nifi public certificate

keytool -import -file /tmp/examplecert.crt -alias <targetNiFiCertificate> -keystore <trustStoreLocation> -storepass xxxx -noprompt 

3. Verify using Openssl or SSLPoke commands

java<trustStoreLocation> SSLPoke <targetNiFiHostName> 9091
openssl s_client -connect <targetNiFiHostName>:9091

4. Verify site-to-site connectivity by re-creating Remote Process Group

Nifi truststore location is generally different from JDK location. Please update certs in appropriate location so NiFi can pick them
2. Target NiFi needs to provide appropriate permissions for the source NiFi user (DN is based on SSL Cert)

0 Kudos
  • It solved my problem, thank you very much. But I changed <targetNiFiHostName>:9091 to the primary domain name:443
Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.
Version history
Last update:
‎12-25-2017 04:14 AM
Updated by:
Top Kudoed Authors