Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

NIFI site-to-site

Highlighted

NIFI site-to-site

New Contributor

I've looked over all the docs and community docs I can find, and was able to get a secure site-to-site created between two test servers. When I try the same thing on what will be the production servers, I'm getting these errors:

2017-07-24 08:58:49,921 WARN [Remote Process Group 66095bd5-015d-1000-ffff-ffffc137c746: https://mrdhdfaz1.hosts.jhmi.edu:9091/nifi Thread-1] o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from https:/ /mrdhdfaz1.hosts.jhmi.edu:9091/nifi-api due to javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: un able to find valid certification path to requested target

2017-07-24 08:58:49,922 WARN [Remote Process Group 66095bd5-015d-1000-ffff-ffffc137c746: https://mrdhdfaz1.hosts.jhmi.edu:9091/nifi Thread-1] o.a.n.remote.StandardRemoteProcessGroup Unable to connect to RemoteProcess Group[https://mrdhdfaz1.hosts.jhmi.edu:9091/nifi] due to javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExc eption: unable to find valid certification path to requested target

2017-07-24 08:58:49,923 WARN [Timer-Driven Process Thread-3] o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from https://mrdhdfaz1.hosts.jhmi.edu:9091/nifi-api due to javax.net.ssl.SSLHandshakeExceptio n: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

2017-07-24 08:58:49,923 WARN [Timer-Driven Process Thread-3] o.apache.nifi.controller.FlowController Unable to communicate with remote instance RemoteProcessGroup[https://mrdhdfaz1.hosts.jhmi.edu:9091/nifi] due to or g.apache.nifi.controller.exception.CommunicationsException: Unable to communicate with Remote NiFi at URI https://mrdhdfaz1.hosts.jhmi.edu:9091/nifi due to: sun.security.validator.ValidatorException: PKIX path buildi ng failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I feel like I have all the certs exchanged properly, but I must be missing something...here's what the keystores and truststores look like:

keystore of on-prem server trying to connect to azure server:

[root@mrdhdf1 conf]# keytool -list -keystore keystore.jks -v | egrep "Alias|Owner|Issuer|Serial|CA"

Enter keystore password:

Alias name: nifi-key

Owner: CN=mrdhdf1.hosts.jhmi.edu, OU=NIFI

Issuer: CN=mrdhdf1.hosts.jhmi.edu, OU=NIFI

Serial number: 15d2dd0c07800000000

CA:false

Owner: CN=mrdhdf1.hosts.jhmi.edu, OU=NIFI

Issuer: CN=mrdhdf1.hosts.jhmi.edu, OU=NIFI

Serial number: 15bc91e68f400000000

CA:true

[root@mrdhdf1 conf]#

Keystore of azure server being connected to:

[root@mrdhdfaz1 conf]# keytool -list -keystore keystore.jks -v | egrep "Alias|Owner|Issuer|Serial|CA"

Enter keystore password:

Alias name: nifi-key

Owner: CN=mrdhdfaz1.hosts.jhmi.edu, OU=NIFI

Issuer: CN=mrdhdfaz1.hosts.jhmi.edu, OU=NIFI

Serial number: 15d517fd02b00000000

CA:false

Owner: CN=mrdhdfaz1.hosts.jhmi.edu, OU=NIFI

Issuer: CN=mrdhdfaz1.hosts.jhmi.edu, OU=NIFI

Serial number: 15d18da8db100000000

CA:true

Truststore of on-prem server:

root@mrdhdf1 conf]# keytool -list -keystore truststore.jks -v | egrep "Alias|Owner|Issuer|Serial|CA"

Enter keystore password:

Alias name: rangeradmin

Owner: CN=mrdhdf1.hosts.jhmi.edu, OU=mycompany, O=JH, L=mycity, ST=mystate, C=US

Issuer: CN=mrdhdf1.hosts.jhmi.edu, OU=mycompany, O=JH, L=mycity, ST=mystate, C=US

Serial number: 121e8ce9

Alias name: nifi-cert

Owner: CN=mrdhdf1.hosts.jhmi.edu, OU=NIFI

Issuer: CN=mrdhdf1.hosts.jhmi.edu, OU=NIFI

Serial number: 15bc91e68f400000000

CA:true

Alias name: mrdhdfaz1-ca

Owner: CN=mrdhdfaz1.hosts.jhmi.edu, OU=NIFI

Issuer: CN=mrdhdfaz1.hosts.jhmi.edu, OU=NIFI

Serial number: 15d18da8db100000000

CA:true

Alias name: mrdhdfaz1

Owner: CN=mrdhdfaz1.hosts.jhmi.edu, OU=NIFI

Issuer: CN=mrdhdfaz1.hosts.jhmi.edu, OU=NIFI

Serial number: 15d517fd02b00000000

CA:false

[root@mrdhdf1 conf]#

Truststore of azure server:

[root@mrdhdfaz1 conf]# keytool -list -keystore truststore.jks -v | egrep "Alias|Owner|Issuer|Serial|CA"

Enter keystore password:

Alias name: mrdhdf1-nifi-cert

Owner: CN=mrdhdf1.hosts.jhmi.edu, OU=NIFI

Issuer: CN=mrdhdf1.hosts.jhmi.edu, OU=NIFI

Serial number: 15bc91e68f400000000

CA:true

Alias name: nifi-cert

Owner: CN=mrdhdfaz1.hosts.jhmi.edu, OU=NIFI

Issuer: CN=mrdhdfaz1.hosts.jhmi.edu, OU=NIFI

Serial number: 15d18da8db100000000

CA:true Alias name: mrdhdf1

Owner: CN=mrdhdf1.hosts.jhmi.edu, OU=NIFI

Issuer: CN=mrdhdf1.hosts.jhmi.edu, OU=NIFI

Serial number: 15d2dd0c07800000000

CA:false

Alias name: rangeradmin

Owner: CN=mrdhdfaz1.hosts.jhmi.edu, OU=mycompany, O=JH, L=mycity, ST=mystate, C=US

Issuer: CN=mrdhdfaz1.hosts.jhmi.edu, OU=mycompany, O=JH, L=mycity, ST=mystate, C=US

Serial number: 74327f41

[root@mrdhdfaz1 conf]#

All cacerts I can find on on-prem have the azure CA cert added

[root@mrdhdf1 conf]# keytool -list -v -keystore /usr/jdk64/jdk1.8.0_77/jre/lib/security/cacerts | grep 15d18da8db100000000

Enter keystore password: changeit

Serial number: 15d18da8db100000000

[root@mrdhdf1 conf]# keytool -list -v -keystore /etc/pki/java/cacerts | grep 15d18da8db100000000

Enter keystore password: changeit

Serial number: 15d18da8db100000000

[root@mrdhdf1 conf]# keytool -list -v -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-2.b11.el7_3.x86_64/jre/lib/security/cacerts | grep 15d18da8db100000000

Enter keystore password: changeit

Serial number: 15d18da8db100000000

Same with the azure server:

[root@mrdhdfaz1 conf]# keytool -list -v -keystore /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts | grep 15bc91e68f400000000

Enter keystore password: changeit

Serial number: 15bc91e68f400000000[root@mrdhdfaz1 conf]# keytool -list -v -keystore /etc/pki/java/cacerts | grep 15bc91e68f400000000

Enter keystore password: changeit

Serial number: 15bc91e68f400000000[root@mrdhdfaz1 conf]# keytool -list -v -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-3.b12.el7_3.x86_64/jre/lib/security/cacerts | grep 15bc91e68f400000000

Enter keystore password: changeit

Serial number: 15bc91e68f400000000

Don't have an account?
Coming from Hortonworks? Activate your account here