Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to use InvokeHTTP without SSL verification

avatar
Contributor

How can I use InvokeHTTP without SSL verification? I followed this article on how to import the public certificate but that cert is not CA-signed, and InvokeHTTP doesn't work. Below is the error I get.

https://community.cloudera.com/t5/Support-Questions/Is-it-possible-to-provide-options-to-InvokeHTTP-...

 

vatodorov19_1-1604603238416.png

 

In InvokeHTTP, I'm using the StandardSSLContextService with the following configs:

 

vatodorov19_2-1604603342053.png

 

 

Thanks.

Valentin

 

 

1 ACCEPTED SOLUTION

avatar
Super Guru

@vatodorov19   If the service you are connecting too is https,  there is no way to use invokeHttp without SSL Verification.   If the remote host is using a publicly signed cert, try using cacerts in your java location before trying to make keystores and truststores.   If you do make keystores and truststores from the service's public or self signed certs you will need to make sure those certs are generated following best practices. For example: using a real hostname for the service and make sure you connect to the same hostname, not an ip or "resilient.localdomain".

 

If this answer resolves your issue or allows you to move forward, please choose to ACCEPT this solution and close this topic. If you have further dialogue on this topic please comment here or feel free to private message me. If you have new questions related to your Use Case please create separate topic and feel free to tag me in your post.

 

Thanks,

Steven

View solution in original post

4 REPLIES 4

avatar
Super Guru

@vatodorov19   If the service you are connecting too is https,  there is no way to use invokeHttp without SSL Verification.   If the remote host is using a publicly signed cert, try using cacerts in your java location before trying to make keystores and truststores.   If you do make keystores and truststores from the service's public or self signed certs you will need to make sure those certs are generated following best practices. For example: using a real hostname for the service and make sure you connect to the same hostname, not an ip or "resilient.localdomain".

 

If this answer resolves your issue or allows you to move forward, please choose to ACCEPT this solution and close this topic. If you have further dialogue on this topic please comment here or feel free to private message me. If you have new questions related to your Use Case please create separate topic and feel free to tag me in your post.

 

Thanks,

Steven

avatar
Contributor

Thanks @stevenmatison

Is there a plan to add a feature to InvokeHTTP to access hosts with a self-signed cert? It is very common for organizations to deploy internal hosts with localhost.localdomain certs, that are only accessible by the IP.

avatar
Super Guru

@vatodorov19   I have used tons of self signed certs and not had issues.   Maybe you need to just adjust the method to create the self signed certs and/or the keystore and truststores based on known working nifi samples.   SSL, Certs, Keystores, Versions, and SSL Context Services each are all very finicky so getting them right can be as easy as a config change, or adjustment in the commands to kick of cert/keystore creations.

avatar
Rising Star

I have used invokeHTTP in 1.12 version without SSL cert and works fine, however new version 1.16 doesn't. Any settings available to ignore?. Ex: I connect to SQL server with JDBCConnection with property trustServerCertificate=true; post which it works without certifcates.