Support Questions
Find answers, ask questions, and share your expertise

How to use InvokeHTTP without SSL verification

Solved Go to solution

How to use InvokeHTTP without SSL verification

Explorer

How can I use InvokeHTTP without SSL verification? I followed this article on how to import the public certificate but that cert is not CA-signed, and InvokeHTTP doesn't work. Below is the error I get.

https://community.cloudera.com/t5/Support-Questions/Is-it-possible-to-provide-options-to-InvokeHTTP-...

 

vatodorov19_1-1604603238416.png

 

In InvokeHTTP, I'm using the StandardSSLContextService with the following configs:

 

vatodorov19_2-1604603342053.png

 

 

Thanks.

Valentin

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: How to use InvokeHTTP without SSL verification

@vatodorov19   If the service you are connecting too is https,  there is no way to use invokeHttp without SSL Verification.   If the remote host is using a publicly signed cert, try using cacerts in your java location before trying to make keystores and truststores.   If you do make keystores and truststores from the service's public or self signed certs you will need to make sure those certs are generated following best practices. For example: using a real hostname for the service and make sure you connect to the same hostname, not an ip or "resilient.localdomain".

 

If this answer resolves your issue or allows you to move forward, please choose to ACCEPT this solution and close this topic. If you have further dialogue on this topic please comment here or feel free to private message me. If you have new questions related to your Use Case please create separate topic and feel free to tag me in your post.

 

Thanks,

Steven

View solution in original post

3 REPLIES 3
Highlighted

Re: How to use InvokeHTTP without SSL verification

@vatodorov19   If the service you are connecting too is https,  there is no way to use invokeHttp without SSL Verification.   If the remote host is using a publicly signed cert, try using cacerts in your java location before trying to make keystores and truststores.   If you do make keystores and truststores from the service's public or self signed certs you will need to make sure those certs are generated following best practices. For example: using a real hostname for the service and make sure you connect to the same hostname, not an ip or "resilient.localdomain".

 

If this answer resolves your issue or allows you to move forward, please choose to ACCEPT this solution and close this topic. If you have further dialogue on this topic please comment here or feel free to private message me. If you have new questions related to your Use Case please create separate topic and feel free to tag me in your post.

 

Thanks,

Steven

View solution in original post

Highlighted

Re: How to use InvokeHTTP without SSL verification

Explorer

Thanks @stevenmatison

Is there a plan to add a feature to InvokeHTTP to access hosts with a self-signed cert? It is very common for organizations to deploy internal hosts with localhost.localdomain certs, that are only accessible by the IP.

Highlighted

Re: How to use InvokeHTTP without SSL verification

@vatodorov19   I have used tons of self signed certs and not had issues.   Maybe you need to just adjust the method to create the self signed certs and/or the keystore and truststores based on known working nifi samples.   SSL, Certs, Keystores, Versions, and SSL Context Services each are all very finicky so getting them right can be as easy as a config change, or adjustment in the commands to kick of cert/keystore creations.

Don't have an account?