Support Questions

Techie123 · ‎06-15-2022

Hi, I need help. I have successfully installed NiFi on Cooperates Linux Machine. But while accessing this NiFi server getting "This site can’t be reached" error. We checked everything but still persisting the issue. Please help me.

MattWho · ‎06-15-2022

@Techie123

When you say "Cooperates Linux Machine", are you referring to http://www.colinux.org/ installation?
If so, this does not sound like an ideal place to try and run a NiFi instance or NiFi cluster as it appears to isolate that linux to a single core on the host hardware. NiFi can be a resource intensive application, especially when setup as a cluster.

When NiFi is started, you can tail the nifi-app.log to observe the complete startup process.
NiFi has completed its startup once you see the following lines:

2022-06-15 13:52:52,727 INFO org.apache.nifi.web.server.JettyServer: NiFi has started. The UI is available at the following URLs:
2022-06-15 13:52:52,727 INFO org.apache.nifi.web.server.JettyServer: https://nifi-node1:8443/nifi
2022-06-15 13:52:52,730 INFO org.apache.nifi.BootstrapListener: Successfully initiated communication with Bootstrap

At this time the NiFi URL should be reachable. If not, I would be making sure a firewall or some issue with your "Cooperates Linux Machine" setup is not blocking access to the port on which the NiFi is bound.

The latter error you shared:

o.a.nifi.controller.StandardFlowService Failed to connect to cluster due to: org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling 'CONNECTION_REQUEST' protocol message due to: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

implies that your NiFi cluster has been setup to start secured over HTTPS.

Secured NiFi nodes must have a configured keystore and truststore. The above error is telling you that node's truststore does not contain the TrustedCertEntry(s) needed to trust the client certificate presented by another node (in this case the elected cluster coordinator node).

The NiFi configured keystore must meet these requirements:
1. Contain only ONE PrivateKeyEntry. (this private key is typically unique per node)
2. That Private key must support both ClientAuth and ServerAuth EKUs
3. That PrivateKey must contain a SAN entry for the NiFI host on which it is being used. That SAN must mach the hostname of the host.

The NiFi configured truststore must contain the complete trust chain for the nodes private keys.

You can use the keytool command to inspect the contents of either the keystore or truststore and verify above requirements are satisfied,

keytool -v -list -keystore <keystore or truststore>

A certificate (private "PrivateKeyEntry" or public "TrustedCertEntry") will have an owner an issuer. The issuer is the authority for that key. A self-signed certificate will have the same owner and issuer.

The truststore needs to have a TrustedCertEntry for each public certificate in the trusts chain.
For example:
Assume you have a PrivateKey in your keystore with:

owner: cn=nifi-node1, ou=nifi
Issuer: cn=intermediate-ca, ou=trust

Your Truststore would then need to have a TrustedCertEntry for the public key for:

owner: cn=intermediate-ca, ou=trust
issuer: cn=root-ca, ou=trust

and:

owner: cn=root-ca, ou=trust
issuer: cn=root-ca, ou=trust

You know you have the complete trust chain once you reach the public cert where owner and issuer have the same value.

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

View solution in original post

ask_bill_brooks · ‎06-15-2022

@Techie123

I strongly recommend that you read over this thread:

Problem login for first time in Nifi

…and then if you try all the troubleshooting steps described there, post again here, in this thread, and provide a link to the instructions you followed in order to perform your installation and for which version of NiFi.

Bill Brooks, Community Moderator
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Techie123 · ‎06-15-2022

Hi @ask_bill_brooks , I checked everything, in node1 log I am getting "2022-06-15 11:46:36,041 WARN [main] o.a.nifi.controller.StandardFlowService Failed to connect to cluster due to: org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling 'CONNECTION_REQUEST' protocol message due to: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors" and in node3 I can't see any error, exception....Can you please help me with this. What should I check?

MattWho · ‎06-15-2022

@Techie123

When you say "Cooperates Linux Machine", are you referring to http://www.colinux.org/ installation?
If so, this does not sound like an ideal place to try and run a NiFi instance or NiFi cluster as it appears to isolate that linux to a single core on the host hardware. NiFi can be a resource intensive application, especially when setup as a cluster.

When NiFi is started, you can tail the nifi-app.log to observe the complete startup process.
NiFi has completed its startup once you see the following lines:

2022-06-15 13:52:52,727 INFO org.apache.nifi.web.server.JettyServer: NiFi has started. The UI is available at the following URLs:
2022-06-15 13:52:52,727 INFO org.apache.nifi.web.server.JettyServer: https://nifi-node1:8443/nifi
2022-06-15 13:52:52,730 INFO org.apache.nifi.BootstrapListener: Successfully initiated communication with Bootstrap

At this time the NiFi URL should be reachable. If not, I would be making sure a firewall or some issue with your "Cooperates Linux Machine" setup is not blocking access to the port on which the NiFi is bound.

The latter error you shared:

o.a.nifi.controller.StandardFlowService Failed to connect to cluster due to: org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling 'CONNECTION_REQUEST' protocol message due to: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

implies that your NiFi cluster has been setup to start secured over HTTPS.

Secured NiFi nodes must have a configured keystore and truststore. The above error is telling you that node's truststore does not contain the TrustedCertEntry(s) needed to trust the client certificate presented by another node (in this case the elected cluster coordinator node).

The NiFi configured keystore must meet these requirements:
1. Contain only ONE PrivateKeyEntry. (this private key is typically unique per node)
2. That Private key must support both ClientAuth and ServerAuth EKUs
3. That PrivateKey must contain a SAN entry for the NiFI host on which it is being used. That SAN must mach the hostname of the host.

The NiFi configured truststore must contain the complete trust chain for the nodes private keys.

You can use the keytool command to inspect the contents of either the keystore or truststore and verify above requirements are satisfied,

keytool -v -list -keystore <keystore or truststore>

A certificate (private "PrivateKeyEntry" or public "TrustedCertEntry") will have an owner an issuer. The issuer is the authority for that key. A self-signed certificate will have the same owner and issuer.

The truststore needs to have a TrustedCertEntry for each public certificate in the trusts chain.
For example:
Assume you have a PrivateKey in your keystore with:

owner: cn=nifi-node1, ou=nifi
Issuer: cn=intermediate-ca, ou=trust

Your Truststore would then need to have a TrustedCertEntry for the public key for:

owner: cn=intermediate-ca, ou=trust
issuer: cn=root-ca, ou=trust

and:

owner: cn=root-ca, ou=trust
issuer: cn=root-ca, ou=trust

You know you have the complete trust chain once you reach the public cert where owner and issuer have the same value.

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

Cloudera Community

Support Questions

NiFi Installation on co-operate Linux Server getting "This site can't be reached" error