Community Articles

Find and share helpful community-sourced technical articles.
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Labels (1)
avatar
Contributor

Objective:
Connect source (nifi) and destination (nifi) via site-to-site over SSL (https - 9091 port)

Issue:
NiFi Site to Site SSLHandShakeException PKIX path building failed - Missing TrustStore Certs

Root cause:
Nifi truststores missing certificates of other Nifi

Steps Taken:
1. Run
following command to get the list of Certificates in current Nifi TrustStore

keytool -v -list -keystore <trustStoreLocation>

2. If no certs that belong to target Nifi are found then we can proceed with installing the target Nifi cert
3. Run following command to get the target Nifi public certificate

echo -n|openssl s_client -connect <targetNiFiHostName>:9091 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt

3. Run following command to get the target Nifi public certificate

keytool -import -file /tmp/examplecert.crt -alias <targetNiFiCertificate> -keystore <trustStoreLocation> -storepass xxxx -noprompt 

3. Verify using Openssl or SSLPoke commands

java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=<trustStoreLocation> -Djavax.net.ssl.trustStorePassword=xxx SSLPoke <targetNiFiHostName> 9091
openssl s_client -connect <targetNiFiHostName>:9091

4. Verify site-to-site connectivity by re-creating Remote Process Group

Note
1.
Nifi truststore location is generally different from JDK location. Please update certs in appropriate location so NiFi can pick them
2. Target NiFi needs to provide appropriate permissions for the source NiFi user (DN is based on SSL Cert)

3,316 Views
0 Kudos
Comments
  • It solved my problem, thank you very much. But I changed <targetNiFiHostName>:9091 to the primary domain name:443
Version history
Last update:
‎12-25-2017 04:14 AM
Updated by:
Contributors