Support Questions
Find answers, ask questions, and share your expertise

Is it possible to provide options to InvokeHTTP nifi processor / disable InvokeHTTP SSL certificate verification ?

Is it possible to provide options to InvokeHTTP nifi processor / disable InvokeHTTP SSL certificate verification ?

Hi,


I want to use nifi InvokeHTTP processor to get data from a remote URL.


First, I have tested the following URL with CURL from CLI of my nifi host, retrieving me the file I want so it is OK :


curl --insecure --user <USER>:<PASSWORD> https://<MY_REMOTE_URL>;


The same URL with GET method set in InvokeHTTP processor gives me a SSLHandshakeException (user/password are respectively set in <Basic Authentication Username> and <Basic Authentication Password>)


Routing to Failure due to exception: sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


This error is skipped with CURL thanks to --insecure option, disabling SSL certificate verification.


So I would like to know if a workaround exists with nifi to disable SSL certificate verification ? (I currently cannot get a certificate allowing me accessing to remote host).

Or is it possible to provide some options to InvokeHTTP processor ? (I know we can set headers using attributes, but what about options like "--insecure" or "-k" ?)


The only way I have found at the moment to achieve what I want is encapsulating the curl call into an ExecuteScript processor, but this solution is not totally satisfying for me.


Thanks



Benjamin

1 REPLY 1

Re: Is it possible to provide options to InvokeHTTP nifi processor / disable InvokeHTTP SSL certificate verification ?

Master Guru

@Benjamin Bouret

The invokeHTTP processor would require you to use a SSL context service when communicating with a secure (https) endpoint. The SSLContext service can be setup with only a truststore.jks if this is only a 1-way TLS connection that does not require client authentication.

-

You should be able to use openssl to get the complete public certificate chain from the target secured endpoint.

From command line execute following command:

Openssl s_client -connect <hostname>:<port> -showcerts

-

The return from this command will include one or more public certificates.

each public certificate will start with and end with following:

-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----

-

Copy each certificate including the above two lines and write each to separate file with a .crt extension.

for example:

CA-1.crt

-

Then import each of these public certificates in to the truststore you want to use in your SSLContext service as follows:

# keytool -import -alias <unique Alias name 1> -file CA-1.crt -keystore truststore.jks
# keytool -import -alias <unique Alias name 2> -file CA-2.crt -keystore truststore.jks
etc...

-

Make your your NiFi service user can read this file where ever you decide to place on each of your NiFi nodes.

-

Thank you,

Matt

-

If you found this answer addressed your question, please take a moment to login in and click the "ACCEPT" link.