Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

MiniFi SSL handshake_failure

MiniFi SSL handshake_failure

Rising Star

Hello,

I have a nifi server and minifi agents running on clients. I need to create secure communication between nifi server and minifi agents.

Created certificates, keystores with nifi-toolkit in nifi server and could establish secure connection to nifi server via browser(HTTPS). Then I copied keystore and trustore files, I updated config.yml of minifi security and nifi url parts.

Security Properties:  
keystore: './conf/keystore.jks'  
keystore type: 'JKS'  
keystore password: 'mypassword'  
key password: 'mypassword'  
truststore: './conf/truststore.jks'  
truststore type: 'JKS'  
truststore password: 'mypassword' 
ssl protocol: 'TLS'  
Sensitive Props:  
 key:  
 algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL  
 provider: BC
...
Remote Process Groups:
 - id: a3889178-0571-3798-0000-000000000000  
   name: ''  
   url: https://my-nifi-server:9443
...

When I restart minifi agent it gives this error;

2018-07-25 17:47:38,681 WARN [NiFi Site-to-Site Connection Pool Maintenance] o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from https://my-nifi-server:9443/nifi-api due to javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

What is wrong?

Regards.

6 REPLIES 6

Re: MiniFi SSL handshake_failure

Master Guru

@Mustafa Kemal MAYUK

May be helpful if you can share any stacktrace that may follow that error in the app log that will give more info on the specific handshake failure.

Re: MiniFi SSL handshake_failure

Rising Star

Hello @Matt Clarke

it seems all messages similar, it is repeating. I can't see a diffirent message.

2018-07-26 09:04:27,722 WARN [Timer-Driven Process Thread-3] o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from https://my-nifi-server:9443/nifi-api due to javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2018-07-26 09:04:27,723 ERROR [Timer-Driven Process Thread-3] o.a.nifi.remote.StandardRemoteGroupPort RemoteGroupPort[name=RGP1,targets=https://my-nifi-server:9443] failed to communicate with https://my-nifi-server:9443 due to org.apache.nifi.remote.exception.UnreachableClusterException: Unable to refresh details from any of the configured remote instances.
2018-07-26 09:04:27,723 WARN [Timer-Driven Process Thread-2] o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from https://my-nifi-server:9443/nifi-api due to javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2018-07-26 09:04:27,723 INFO [StandardProcessScheduler Thread-6] o.a.n.c.s.TimerDrivenSchedulingAgent Scheduled TailFile[id=7b70e94e-2b44-32a6-0000-000000000000] to run with 1 threads
2018-07-26 09:04:27,723 ERROR [Timer-Driven Process Thread-2] o.a.nifi.remote.StandardRemoteGroupPort RemoteGroupPort[name=RGP2,targets=https://my-nifi-server:9443] failed to communicate with https://my-nifi-server:9443 due to org.apache.nifi.remote.exception.UnreachableClusterException: Unable to refresh details from any of the configured remote instances.
2018-07-26 09:04:27,726 WARN [NiFi Site-to-Site Connection Pool Maintenance] o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from https://my-nifi-server:9443/nifi-api due to javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2018-07-26 09:04:27,726 WARN [NiFi Site-to-Site Connection Pool Maintenance] o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from https://my-nifi-server:9443/nifi-api due to javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2018-07-26 09:04:27,727 WARN [NiFi Site-to-Site Connection Pool Maintenance] o.apache.nifi.remote.client.PeerSelector org.apache.nifi.remote.client.PeerSelector@4f1c5017 Unable to refresh Remote Group's peers due to Received fatal alert: handshake_failure
2018-07-26 09:04:27,727 WARN [NiFi Site-to-Site Connection Pool Maintenance] o.apache.nifi.remote.client.PeerSelector org.apache.nifi.remote.client.PeerSelector@13a87254 Unable to refresh Remote Group's peers due to Received fatal alert: handshake_failure
2018-07-26 09:04:27,727 WARN [NiFi Site-to-Site Connection Pool Maintenance] o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from https://my-nifi-server:9443/nifi-api due to javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2018-07-26 09:04:27,727 WARN [NiFi Site-to-Site Connection Pool Maintenance] o.apache.nifi.remote.client.PeerSelector org.apache.nifi.remote.client.PeerSelector@69c7fbb Unable to refresh Remote Group's peers due to Received fatal alert: handshake_failure

Re: MiniFi SSL handshake_failure

Expert Contributor

were you able to fix this ? I too am getting the same error even after ensuring that the truststore and keystore are all correct

Re: MiniFi SSL handshake_failure

Master Guru
@Mustafa Kemal MAYUK

@Abhinav Joshi

-

Is the Remote Process Group (RPG) located on your MiNiFi or on your NiFi?

Site-To-SIte (S2S) is supported with MiNiFi, but only when MiNiFi is the client. The means that MiNiFi must be running the RPG.

-

Beyond that, the SSL/TLS handshake requires proper keystores and truststores in place on both ends of the connection.

Sharing the verbose output of your keystore and truststore files from both our NiFI and MiNiFi would help.

-

Your keystore files must contain only a single "PrivateKeyEntry" . The cert must contain the hostname (typically the FQDN) in the DN or in a Subject Alternative name field. The Keystore must support both ClientAuth and ServerAuth. Check for any ExtendedKeyUsage properties and make sure it contains both the above.

-

The truststore will contain 1 to many "TrustedCertEntry" public certs in it. The full trust chain which signed your PrivateKeyEntry from both keystores should be found in the truststore being used on both MiNiFi and NiFi. When you look at the PrivateKeyEntry in your keystores, you will see that the cert has an "Owner" and "Issuer". That "Issuer" must appear as a trustedCertEntry in the truststore files. You may find that the issuer of your PrivateKeyEntry is just an intermediate CA and has been signed ("issuer") by yet another CA. That additional root CA ("issuer") should also be found in your truststore.

-

You can use the keytool command to get a verbose listing of your various keystore and truststore files:

keytool -v -list -keystore <keystore or truststore jks file>

-

Thanks,

Matt

-

If you found this answer addressed your question, please take a moment to login in and click the "ACCEPT" link.

Highlighted

Re: MiniFi SSL handshake_failure

Expert Contributor

Hi @Matt Clarke

Thanks for these details. I will just explain what we have done so far. We have two linux servers , one where minifi is installed and one where nifi is installed. Lets just call them nifi and minifi. I then generated the keystores on the nifi server for the minifi server. My command looks like this

bin/tls-toolkit.sh standalone -n minifi -d 3650 -o .

The keystore and trust store files were generated using the above command and were sftped to the minifi server. So , when I started minifi , I am getting the error below :-

NiFi Site-to-Site Connection Pool Maintenance] o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from https://NIFI_SERVER:8443/nifi-api due to javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate issued by CN=localhost, OU=NIFI is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Signature does not match.

I also ran the keytool command and it only contains one entry

-bash-4.2$ keytool -v -list -keystore keystore.jks Enter keystore password: Keystore type: jks Keystore provider: IBMJCE Your keystore contains 1 entry

Any idea why I am getting the error or which step am I missing.

Re: MiniFi SSL handshake_failure

Master Guru
@Abhinav Joshi

The "Signature does not match" error is the symptom that the client does not trust the certificate presented form the server, ie the client truststore does not contain a trustedCertEntry for the servers certificate or the servers certificates trust chain (TrustedCertEntry for server certificate "issuer").

-

Without seeing the verbose output from the keystore (both client and server side) and truststore (both client and server side), it would be very difficult to say what the exact issue is here. But the issue does fall somewhere in a failed 2-way TLS handshake.

-

Thank you,

Matt

Don't have an account?
Coming from Hortonworks? Activate your account here