I want to use nifi InvokeHTTP processor to get data from a remote URL.
First, I have tested the following URL with CURL from CLI of my nifi host, retrieving me the file I want so it is OK :
curl --insecure --user <USER>:<PASSWORD> https://<MY_REMOTE_URL>;
The same URL with GET method set in InvokeHTTP processor gives me a SSLHandshakeException (user/password are respectively set in <Basic Authentication Username> and <Basic Authentication Password>)
Routing to Failure due to exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This error is skipped with CURL thanks to --insecure option, disabling SSL certificate verification.
So I would like to know if a workaround exists with nifi to disable SSL certificate verification ? (I currently cannot get a certificate allowing me accessing to remote host).
Or is it possible to provide some options to InvokeHTTP processor ? (I know we can set headers using attributes, but what about options like "--insecure" or "-k" ?)
The only way I have found at the moment to achieve what I want is encapsulating the curl call into an ExecuteScript processor, but this solution is not totally satisfying for me.
The invokeHTTP processor would require you to use a SSL context service when communicating with a secure (https) endpoint. The SSLContext service can be setup with only a truststore.jks if this is only a 1-way TLS connection that does not require client authentication.
You should be able to use openssl to get the complete public certificate chain from the target secured endpoint.
From command line execute following command:
Openssl s_client -connect <hostname>:<port> -showcerts
The return from this command will include one or more public certificates.
each public certificate will start with and end with following:
-----BEGIN CERTIFICATE----- ..... -----END CERTIFICATE-----
Copy each certificate including the above two lines and write each to separate file with a .crt extension.
Then import each of these public certificates in to the truststore you want to use in your SSLContext service as follows:
# keytool -import -alias <unique Alias name 1> -file CA-1.crt -keystore truststore.jks # keytool -import -alias <unique Alias name 2> -file CA-2.crt -keystore truststore.jks etc...
Make your your NiFi service user can read this file where ever you decide to place on each of your NiFi nodes.
If you found this answer addressed your question, please take a moment to login in and click the "ACCEPT" link.