Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

NiFi Site to Site SSLHandShakeException PKIX path building failed - Missing TrustStore Certs

Labels (1)
Labels:
avatar
author-rank sbabu author-rank
Contributor

Created on ‎12-25-2017 04:14 AM

Objective:
Connect source (nifi) and destination (nifi) via site-to-site over SSL (https - 9091 port)

Issue:
NiFi Site to Site SSLHandShakeException PKIX path building failed - Missing TrustStore Certs

Root cause:
Nifi truststores missing certificates of other Nifi

Steps Taken:
1. Run following command to get the list of Certificates in current Nifi TrustStore 

keytool -v -list -keystore <trustStoreLocation>

2. If no certs that belong to target Nifi are found then we can proceed with installing the target Nifi cert
3. Run following command to get the target Nifi public certificate 

echo -n|openssl s_client -connect <targetNiFiHostName>:9091 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt

3. Run following command to get the target Nifi public certificate

keytool -import -file /tmp/examplecert.crt -alias <targetNiFiCertificate> -keystore <trustStoreLocation> -storepass xxxx -noprompt

3. Verify using Openssl or SSLPoke commands 

java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=<trustStoreLocation> -Djavax.net.ssl.trustStorePassword=xxx SSLPoke <targetNiFiHostName> 9091
openssl s_client -connect <targetNiFiHostName>:9091

4. Verify site-to-site connectivity by re-creating Remote Process Group

Note
1. Nifi truststore location is generally different from JDK location. Please update certs in appropriate location so NiFi can pick them
2. Target NiFi needs to provide appropriate permissions for the source NiFi user (DN is based on SSL Cert)

3,893 Views
0 Kudos
Comments

Re: NiFi Site to Site SSLHandShakeException PKIX path building failed - Missing TrustStore Certs

avatar
author-rank k2011168u
New Contributor

Created on ‎07-03-2019 03:41 AM

  • It solved my problem, thank you very much. But I changed <targetNiFiHostName>:9091 to the primary domain name:443
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements
Version history
Last update:
‎12-25-2017 04:14 AM
Updated by:
Contributor Contributor
Contributors