I have multiple instances of nifi running and a central nifi registry is deployed. NiFi Registry is signed by an independent self-issued CA-signed certificate.
I do have a copy of NiFi Registry's truststore and keystore inside my NiFi instance (Kubernetes Pod). And I have configured the registry client with my registry's internal k8s service URL and the associated SSL Context is referenced to the Registry's truststore and keystores. The SSL Context Controller enables fine (indicating the keystores are accessible and the passwords are correct) but then I get the following error message while trying to enable versioning on a process group:
Unable to obtain listing of buckets: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I checked the other topics on this forum and on other forums on the Internet and found that this could be an issue with the validity of the registry's server certificate. The registry's server certificate is not being trusted by NiFi because it's unable to find matches in the referenced truststore.
I have tried verifying this manually from within the instance. I copied the registry's CA PEM certificate (the same one used while generating the registry's truststore and keystore)into the NiFi instance and verified the upstream registry server's certificate with the CA. I can confirm the server is accessible and the server certificates are valid. The truststore shouldn't be an issue and NiFi should be able to interact with the registry.
nifi@nifikop-0-node:/opt/nifi/nifi-current$ openssl s_client -connect nifi-registry.dev.svc.cluster.local:18443 -showcerts -CAfile /tmp/ca-cert.pem
CONNECTED(00000003)
depth=1 CN = 3SCDemo-CA, OU = 3SCDemo
verify return:1
depth=0 CN = nifi-registry, OU = 3SCDemo
verify return:1
---
Certificate chain
0 s:CN = nifi-registry, OU = 3SCDemo
i:CN = 3SCDemo-CA, OU = 3SCDemo
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 13 18:35:02 2025 GMT; NotAfter: Sep 13 18:35:02 2026 GMT
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
---
Server certificate
subject=CN = nifi-registry, OU = 3SCDemo
issuer=CN = 3SCDemo-CA, OU = 3SCDemo
---
Acceptable client certificate CA names
CN = 3SCDemo-CA, OU = 3SCDemo
CN = nifi-registry, OU = 3SCDemo
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+S
HA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RS
A-PSS+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1432 bytes and written 451 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: C84E2BFD44167DA371468E366F7E62CE8A2457A88A5FABADCEBA5A182CB29A28
Session-ID-ctx:
Resumption PSK: 57C3C840AF40C97DCA5E3C86C67ECC5943711E6D1CFD439DDDCDD30F8A599A620D89F0591288E0F7102C5031C266EFBC
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
..ticket...
Start Time: 1760469262
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Ideally, I understand it should've worked. But I'm not sure where the issue lies..
