Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Now Live: Explore expert insights and technical deep dives on the new Cloudera Community BlogsRead the Announcement
Solved Go to solution

Error connecting to NiFi Registry from NiFi UI (certificate issue)

Labels:
avatar
author-rank pnac03
Explorer

Created ‎10-14-2025 12:37 PM

I have multiple instances of nifi running and a central nifi registry is deployed. NiFi Registry is signed by an independent self-issued CA-signed certificate.

I do have a copy of NiFi Registry's truststore and keystore inside my NiFi instance (Kubernetes Pod). And I have configured the registry client with my registry's internal k8s service URL and the associated SSL Context is referenced to the Registry's truststore and keystores. The SSL Context Controller enables fine (indicating the keystores are accessible and the passwords are correct) but then I get the following error message while trying to enable versioning on a process group:

Unable to obtain listing of buckets: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


I checked the other topics on this forum and on other forums on the Internet and found that this could be an issue with the validity of the registry's server certificate. The registry's server certificate is not being trusted by NiFi because it's unable to find matches in the referenced truststore.

I have tried verifying this manually from within the instance. I copied the registry's CA PEM certificate (the same one used while generating the registry's truststore and keystore)into the NiFi instance and verified the upstream registry server's certificate with the CA. I can confirm the server is accessible and the server certificates are valid. The truststore shouldn't be an issue and NiFi should be able to interact with the registry.

nifi@nifikop-0-node:/opt/nifi/nifi-current$ openssl s_client -connect nifi-registry.dev.svc.cluster.local:18443 -showcerts -CAfile /tmp/ca-cert.pem

CONNECTED(00000003)
depth=1 CN = 3SCDemo-CA, OU = 3SCDemo
verify return:1
depth=0 CN = nifi-registry, OU = 3SCDemo
verify return:1
---
Certificate chain
 0 s:CN = nifi-registry, OU = 3SCDemo
   i:CN = 3SCDemo-CA, OU = 3SCDemo
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 13 18:35:02 2025 GMT; NotAfter: Sep 13 18:35:02 2026 GMT
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
---
Server certificate
subject=CN = nifi-registry, OU = 3SCDemo
issuer=CN = 3SCDemo-CA, OU = 3SCDemo
---
Acceptable client certificate CA names
CN = 3SCDemo-CA, OU = 3SCDemo
CN = nifi-registry, OU = 3SCDemo
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+S
HA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RS
A-PSS+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1432 bytes and written 451 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: C84E2BFD44167DA371468E366F7E62CE8A2457A88A5FABADCEBA5A182CB29A28
    Session-ID-ctx:
    Resumption PSK: 57C3C840AF40C97DCA5E3C86C67ECC5943711E6D1CFD439DDDCDD30F8A599A620D89F0591288E0F7102C5031C266EFBC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    ..ticket...

    Start Time: 1760469262
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

 
Ideally, I understand it should've worked. But I'm not sure where the issue lies..

2,067 Views
0 Kudos
Tags (2)
4 ACCEPTED SOLUTIONS

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎10-29-2025 09:48 AM

@pnac03 

Looks like you truncated the output of the keytool command for your keystore.
What are the "ExtendedKeyUsages" (EKU) on your PrivateKeyEntry?

It must have:

 

ExtendedKeyUsages [
  serverAuth
  clientAuth
]

 

If it is missing "clientAuth", it can't be used in NiFi by the NiFRegistryFlowRegistryClient because it won't present a client certificate in the mutualTLS exchange. 

But even above if no clientAuth EKU would not explain the exception you get:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This exception is caused by a trust issue. 
The copied over keystore and truststore are owned by the NiFi service user and the NiFi service user can traverse the directory path the the keystore and truststore? 
The URL used in the NiFiRegistryFlowRegistryClient is using https and not http?

Thanks,
Matt

View solution in original post

1,387 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎10-30-2025 05:50 AM

@pnac03 

When "nifi.registry.security.needClientAuth" is set to "true", NiFi-Registry will "Require" a clientAuth certificate be presented in every mutualTLS exchange with the NiFi https endpoint.    When set to "false", NiFi-Registry will "Want"' a clientAuth certificate to be provided in every  mutualTLS exchange.  When you access NiFi-Registry's URL you'll notice that your browser does not present a ClientAuth certificate so NIFi-Registry shows anonymous access.   You then must click login to provide your ldap credentials to authenticate as your user for which you have setup authorization for.  All connections between NiFi and NiFi-Registry must present a clientAuth certificate in response to the Want since no other auth method is supported in that connection pathway.  

Securing your NiFi or NiFi-Registry requires providing proper tls certificate keystore and truststore.  Setting up LDAP as an alternative method of authentication is not a requirement; however, it is the most commonly method used.  You could just create a clientAuth certificate (must be signed by a trusted authority in the truststore) for every user that can be loaded into their browser to authenticate access to NiFi and NiFi-Registry.  Authorization happens after successful authentication.  The user/client identity resulting from successful authentication is based to the configured authorizer to verify that client/user identity is authorized as needed for the request endpoint.  So authorizers is always going to be needed.  Which user-group-providers you choose to use in the authorizers.xml to define the client/user identities you will set authorization policies for is up to you.  The file-user-group-provider is needed to setup authorizations for your clientAuth certificate based identities.   Of course you can also use this provider to manually configure your user identities that match with your ldap (simple if you only have few users).  the ldap-user-group-provider is better if you want to do ldap group based authorizations or you want to authorize a lot of user identities.  Doing a based on ldap groups makes it easy to control access by adding or removing users from groups in ldap. 

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

 

View solution in original post

1,344 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎11-04-2025 10:16 AM

@pnac03 

You will want to restart your NiFi-Registry anytime you modify the configuration of an existing Registry Client or modify the the keystore and/or truststore used by the Registry Client. Only a NiFi restart will trigger the result in those changes being read by the registry client. 

He is the Apache NIFi Jira that covers this bug:
https://issues.apache.org/jira/browse/NIFI-12229

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt



View solution in original post

1,064 Views
0 Kudos

avatar
author-rank DianaTorres author-rank
Community Manager

Created ‎11-05-2025 10:13 AM

@pnac03 Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks.

Regards,

Diana Torres,
Senior Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

View solution in original post

361 Views
0 Kudos
12 REPLIES 12

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎11-04-2025 10:16 AM

@pnac03 

You will want to restart your NiFi-Registry anytime you modify the configuration of an existing Registry Client or modify the the keystore and/or truststore used by the Registry Client. Only a NiFi restart will trigger the result in those changes being read by the registry client. 

He is the Apache NIFi Jira that covers this bug:
https://issues.apache.org/jira/browse/NIFI-12229

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt



1,065 Views
0 Kudos

avatar
author-rank DianaTorres author-rank
Community Manager

Created ‎11-05-2025 10:13 AM

@pnac03 Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks.

Regards,

Diana Torres,
Senior Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
362 Views
0 Kudos

avatar
author-rank pnac03
Explorer

Created ‎12-20-2025 12:35 PM

@MattWho Apologies for the delay here. I could finally try using certificates with the EKU Extensions and I do not see a similar authentication issue anymore. 

Thank you for the kind assistance! 

18 Views
0 Kudos
Announcements
Community Announcements
Announcing the Launch of Cloudera Community Blogs
Community Announcements
October / November 2025 Community Highlights
What's New @ Cloudera
Announcing Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
Announcing Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
Welcome to the Cloudera Community!
View More Announcements