Community Articles
Find and share helpful community-sourced technical articles.
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.
Labels (1)
Cloudera Employee

Connect source (nifi) and destination (nifi) via site-to-site over SSL (https - 9091 port)

NiFi Site to Site SSLHandShakeException PKIX path building failed - Missing TrustStore Certs

Root cause:
Nifi truststores missing certificates of other Nifi

Steps Taken:
1. Run
following command to get the list of Certificates in current Nifi TrustStore

keytool -v -list -keystore <trustStoreLocation>

2. If no certs that belong to target Nifi are found then we can proceed with installing the target Nifi cert
3. Run following command to get the target Nifi public certificate

echo -n|openssl s_client -connect <targetNiFiHostName>:9091 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt

3. Run following command to get the target Nifi public certificate

keytool -import -file /tmp/examplecert.crt -alias <targetNiFiCertificate> -keystore <trustStoreLocation> -storepass xxxx -noprompt 

3. Verify using Openssl or SSLPoke commands

java<trustStoreLocation> SSLPoke <targetNiFiHostName> 9091
openssl s_client -connect <targetNiFiHostName>:9091

4. Verify site-to-site connectivity by re-creating Remote Process Group

Nifi truststore location is generally different from JDK location. Please update certs in appropriate location so NiFi can pick them
2. Target NiFi needs to provide appropriate permissions for the source NiFi user (DN is based on SSL Cert)

0 Kudos
Not applicable
  • It solved my problem, thank you very much. But I changed <targetNiFiHostName>:9091 to the primary domain name:443
Don't have an account?
Version history
Last update:
‎12-25-2017 04:14 AM
Updated by:
Top Kudoed Authors