Created 04-14-2020 04:39 AM
I am using Nifi Version 18.104.22.168.1.2.0-7.I am trying to fetch data from aws s3 storage by using fetchs3object processor.I had attached the screenshot of processor.I am trying to connect through aws access key and security key which i had already provided in the configuration details of fetchs3object prcessor.I had also provided bucket name,object key,region as shown in image.I am trying to connect to aws from nifi first time.It is showing error 'unable to find valid certification path to requested target' while starting the processor.
Please help me in resolving the error.
Created 04-14-2020 04:59 AM
@mayank_tripathi The solution here is to setup the SSL context Service for the processor. To do this you will need to create a new SSL Context Service and provide it a path to keystore and/or truststore files which contain the s3 bucket’s SSL CERT. The files should be on all nifi nodes, owned by nifi user.
Created 04-14-2020 07:35 AM
Thanks for replying.
Please help me regarding these points are:
1)Does we need keystore and truststore file both or using any of them would work.
2)How we can create keystore and truststore files.
Created 04-14-2020 09:30 AM
For your example I would use truststore to "Trust Amazon's Cert". You get the Amazon Cert, and create truststore with it. There are many ways to get the Amazon Cert. Recently, I found that a very easy way (windows) is to use a browser. Visit an https url to your s3 host. Click the SSL link, view certificate, download, etc. On Nifi node add this cert file to /etc/nifi/ssl/ as amazon.cer. Next the truststore command looks like:
/usr/jdk64/jdk1.8.0_112/bin/keytool -import -file /etc/nifi/ssl/amazon.cer -alias amazon -keystore /etc/nifi/ssl/truststore-amazon.jks
Make sure the file is chown nifi:nifi (owned to nifi user) and copied to all nodes.
The SSLContext controller service is then configured as:
Created on 04-16-2020 03:55 AM - edited 04-16-2020 03:57 AM
Thanks for replying.
1)I didn't understand exactly the way you suggested to download ssl certification.Please clear the steps once .
2)Please confirm that this is a free service or paid service.
Created 04-16-2020 05:23 AM
There are many ways to get a public cert. I just recommend one I used recently. You basically just click the lock in your browser. In windows you can then download files from there. If you are not on windows, or using command line you can reference this link for some other ways to get the public cert for amazon s3 urls:
Not sure what your last question refers to?
Created on 04-16-2020 07:20 AM - edited 04-16-2020 07:27 AM
Thanks for replying.
I had attached the screenshot of .cer file i had downloaded.
1)Please confirm the below steps
Now i will add .cer file at /etc/nifi/ssl/ as amazon.cer and trustore file at /trial as truststore-amazon.jks.I will change the jdk version as per version present on my cluster in truststore file.The content of truststore file will be like
/usr/jdk64/jdk1.8.0_77/bin/keytool -import -file /etc/nifi/ssl/amazon.cer -alias amazon -keystore /etc/nifi/ssl/truststore-amazon.jks
I will mention the truststore filename as /trial/truststore-amazon.jks in the configuration of fecths3 processor.
2)Using ssl certification is free service or i need to pay to amazon for it.
Created 04-16-2020 07:32 AM
@mayank_tripathi It's free. No issues there.
Yes I believe your summary is correct. If you are using /trial folder, you can put the cer in there, and then execute the trustore command. I like to keep all my files in the same place. Just make sure when you are done that /trial folder is right permissions so nifi user can read the files and the files are copied to all nifi nodes. If you do not do correct ownership and copy to all nodes part, the controller service will throw an error.
Created 01-04-2022 09:13 AM
Hi to all.
i'm having the same issue, even after following the procedure.
What i did:
1) get the ssl certificate from AWS using the ssl:
penssl s_client -showcerts -connect <source>:443 </dev/null | openssl x509 -text | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
2) Copy the result to a *.crt file
3) convert the file to DEM
openssl x509 -in aws_cert.crt -inform PEM -out aws_cert.der -outform DER
4) Create the jks file using keytools
keytool -import -trustcacerts -alias aws3buckets -file aws_cert.der -keystore truststore-amazon.jks
5) change the permissions to be accessible from nifi.
6) add the file in the StandardSSLContextService and set password.
I receive the same e
SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Do you have any clue how to solve this?
I can use the crt file on the keytool?
There is any version of keytool that we need to use?