Support Questions

bbouret_prestat · ‎03-20-2019

Hi,

I want to use nifi InvokeHTTP processor to get data from a remote URL.

First, I have tested the following URL with CURL from CLI of my nifi host, retrieving me the file I want so it is OK :

curl --insecure --user <USER>:<PASSWORD> https://<MY_REMOTE_URL>;

The same URL with GET method set in InvokeHTTP processor gives me a SSLHandshakeException (user/password are respectively set in <Basic Authentication Username> and <Basic Authentication Password>)

Routing to Failure due to exception: sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This error is skipped with CURL thanks to --insecure option, disabling SSL certificate verification.

So I would like to know if a workaround exists with nifi to disable SSL certificate verification ? (I currently cannot get a certificate allowing me accessing to remote host).

Or is it possible to provide some options to InvokeHTTP processor ? (I know we can set headers using attributes, but what about options like "--insecure" or "-k" ?)

The only way I have found at the moment to achieve what I want is encapsulating the curl call into an ExecuteScript processor, but this solution is not totally satisfying for me.

Thanks

Benjamin

MattWho · ‎03-22-2019

@Benjamin Bouret

The invokeHTTP processor would require you to use a SSL context service when communicating with a secure (https) endpoint. The SSLContext service can be setup with only a truststore.jks if this is only a 1-way TLS connection that does not require client authentication.

-

You should be able to use openssl to get the complete public certificate chain from the target secured endpoint.

From command line execute following command:

Openssl s_client -connect <hostname>:<port> -showcerts

-

The return from this command will include one or more public certificates.

each public certificate will start with and end with following:

-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----

-

Copy each certificate including the above two lines and write each to separate file with a .crt extension.

for example:

CA-1.crt

-

Then import each of these public certificates in to the truststore you want to use in your SSLContext service as follows:

# keytool -import -alias <unique Alias name 1> -file CA-1.crt -keystore truststore.jks
# keytool -import -alias <unique Alias name 2> -file CA-2.crt -keystore truststore.jks
etc...

-

Make your your NiFi service user can read this file where ever you decide to place on each of your NiFi nodes.

-

Thank you,

Matt

-

If you found this answer addressed your question, please take a moment to login in and click the "ACCEPT" link.

Cloudera Community

Support Questions

Is it possible to provide options to InvokeHTTP nifi processor / disable InvokeHTTP SSL certificate verification ?