Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (1)
New Contributor

Objective:
Connect source (nifi) and destination (nifi) via site-to-site over SSL (https - 9091 port)

Issue:
NiFi Site to Site SSLHandShakeException PKIX path building failed - Missing TrustStore Certs

Root cause:
Nifi truststores missing certificates of other Nifi

Steps Taken:
1. Run
following command to get the list of Certificates in current Nifi TrustStore

keytool -v -list -keystore <trustStoreLocation>

2. If no certs that belong to target Nifi are found then we can proceed with installing the target Nifi cert
3. Run following command to get the target Nifi public certificate

echo -n|openssl s_client -connect <targetNiFiHostName>:9091 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt

3. Run following command to get the target Nifi public certificate

keytool -import -file /tmp/examplecert.crt -alias <targetNiFiCertificate> -keystore <trustStoreLocation> -storepass xxxx -noprompt 

3. Verify using Openssl or SSLPoke commands

java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=<trustStoreLocation> -Djavax.net.ssl.trustStorePassword=xxx SSLPoke <targetNiFiHostName> 9091
openssl s_client -connect <targetNiFiHostName>:9091

4. Verify site-to-site connectivity by re-creating Remote Process Group

Note
1.
Nifi truststore location is generally different from JDK location. Please update certs in appropriate location so NiFi can pick them
2. Target NiFi needs to provide appropriate permissions for the source NiFi user (DN is based on SSL Cert)

659 Views
0 Kudos
Comments
Not applicable
  • It solved my problem, thank you very much. But I changed <targetNiFiHostName>:9091 to the primary domain name:443
Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎12-25-2017 04:14 AM
Updated by:
 
Contributors
Top Kudoed Authors