Support Questions

pnac03 · ‎10-14-2025

I have multiple instances of nifi running and a central nifi registry is deployed. NiFi Registry is signed by an independent self-issued CA-signed certificate.

I do have a copy of NiFi Registry's truststore and keystore inside my NiFi instance (Kubernetes Pod). And I have configured the registry client with my registry's internal k8s service URL and the associated SSL Context is referenced to the Registry's truststore and keystores. The SSL Context Controller enables fine (indicating the keystores are accessible and the passwords are correct) but then I get the following error message while trying to enable versioning on a process group:

Unable to obtain listing of buckets: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I checked the other topics on this forum and on other forums on the Internet and found that this could be an issue with the validity of the registry's server certificate. The registry's server certificate is not being trusted by NiFi because it's unable to find matches in the referenced truststore.

I have tried verifying this manually from within the instance. I copied the registry's CA PEM certificate (the same one used while generating the registry's truststore and keystore)into the NiFi instance and verified the upstream registry server's certificate with the CA. I can confirm the server is accessible and the server certificates are valid. The truststore shouldn't be an issue and NiFi should be able to interact with the registry.

nifi@nifikop-0-node:/opt/nifi/nifi-current$ openssl s_client -connect nifi-registry.dev.svc.cluster.local:18443 -showcerts -CAfile /tmp/ca-cert.pem

CONNECTED(00000003)
depth=1 CN = 3SCDemo-CA, OU = 3SCDemo
verify return:1
depth=0 CN = nifi-registry, OU = 3SCDemo
verify return:1
---
Certificate chain
 0 s:CN = nifi-registry, OU = 3SCDemo
   i:CN = 3SCDemo-CA, OU = 3SCDemo
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 13 18:35:02 2025 GMT; NotAfter: Sep 13 18:35:02 2026 GMT
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
---
Server certificate
subject=CN = nifi-registry, OU = 3SCDemo
issuer=CN = 3SCDemo-CA, OU = 3SCDemo
---
Acceptable client certificate CA names
CN = 3SCDemo-CA, OU = 3SCDemo
CN = nifi-registry, OU = 3SCDemo
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+S
HA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RS
A-PSS+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1432 bytes and written 451 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: C84E2BFD44167DA371468E366F7E62CE8A2457A88A5FABADCEBA5A182CB29A28
    Session-ID-ctx:
    Resumption PSK: 57C3C840AF40C97DCA5E3C86C67ECC5943711E6D1CFD439DDDCDD30F8A599A620D89F0591288E0F7102C5031C266EFBC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    ..ticket...

    Start Time: 1760469262
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

Ideally, I understand it should've worked. But I'm not sure where the issue lies..

vafs · ‎10-15-2025

Hello @pnac03,

Have you checked if the truststore has the CA cert from the NiFi Registry imported?

keytool -list -keystore /path/to/truststore.jks

If is not listed there, you will need to import it :

keytool -importcert -alias 3SCDemo-CA -file /tmp/ca-cert.pem -keystore /path/to/truststore.jks

Regards,
Andrés Fallas
--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs-up button.

pnac03 · ‎10-16-2025

Thank you for the quick reply @vafs !
As I have mentioned above, the truststore that I've referenced belongs to the NiFi Registry. I had copied the truststore from my NiFi Registry instance into my NiFi instance to eliminate any certificate mismatches. But yet it didn't work.

I however tried reimporting the ca certificate into the truststore as you suggested, but I still encounter the same issue while trying to version my flows

nifi@nifikop-0-node:/opt/nifi/nifi-current$ keytool -importcert -alias 3SCDemo-CA -file /tmp/ca-cert.pem -keystore /tmp/nifi-registry-truststore.jks
Enter keystore password:
Certificate already exists in keystore under alias <ca-cert>
Do you still want to add it? [no]: yes
Certificate was added to keystore
nifi@nifikop-0-node:/opt/nifi/nifi-current$

MattWho · ‎10-20-2025

@pnac03

A MutualTLS connection is established between NiFi and NiFi-Registry. This means trust is established in both directions.

You shared only the output from an openssl command connection to your NiFi-Registry.
In that output we see that you NiFi-Registry reports the following:

Acceptable client certificate CA names
CN = 3SCDemo-CA, OU = 3SCDemo
CN = nifi-registry, OU = 3SCDemo

This tells us that your NiFi-Registry will only accept clientAuth certificates signed by the authorities listed in above output.

Also from that same openssl command output we can see the following details of your NiFi-Registry's serverAuth certificate:

Certificate chain
 0 s:CN = nifi-registry, OU = 3SCDemo
   i:CN = 3SCDemo-CA, OU = 3SCDemo
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 13 18:35:02 2025 GMT; NotAfter: Sep 13 18:35:02 2026 GMT

Here we can see that your NiFi-Registry certificate has been signed/Issued by the CA "CN=3SCDemo-CA, OU=3SCDemo".

What you have not shared yet is details from the other side of this mutualTLS connection.

If you ran the same openssl command pointing at your NiFi node it would show us some of the TLS connection details. You would want to look at the same NiFi's certificate chain and the NiFi's acceptable client certificate CA Names form that output. The CA names list must include the following to be able to trust the NiFi-Registry's serverAuth certificate:

CN = 3SCDemo-CA, OU = 3SCDemo

Then you want to look at the NiFi's certificate chain and make sure that all root and intermediate CAs in the trust chain exist in your NiFi-Registry's truststore. Currently your NiFi-Registry only trusts its own certificate and the one above CA.

Also keep in mind the following:

If you have a NiFi cluster setup, every node in the Nifi cluster must be able to establish a mutualTLS connection with your NiFi-Registry and not just the node URL you are currently connected to for UI access.
If you do not have the following setting set to "TRUE" in the nifi.properties file, any changes made to the keystore and truststore are not loaded into NiFi until a NiFi restart: "nifi.security.autoreload.enabled". the default setting is FALSE.
Reference: Security Configuration

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Cloudera Community

Support Questions

Error connecting to NiFi Registry from NiFi UI (certificate issue)