Support Questions

Find answers, ask questions, and share your expertise

NiFi SSL - unable to find valid certification path to requested target

avatar
Contributor

Hi,

I've just upgraded my lab cluster to NiFi 1.5 and I'm playing around with SSL and LDAP. We have created self signed certificates within our company and I've added the keys/certs to the correspondig truststore/keystore. The base for that was this topic: https://community.hortonworks.com/articles/17293/how-to-create-user-generated-keys-for-securing-nif....

However, the first time when I try to access the NiFi webgui with https, I'm getting the message below.

2018-02-02 14:36:31,822 WARN [Replicate Request Thread-2] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to nifi4-01.bblab.ch:8443 due to javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2018-02-02 14:36:31,827 WARN [Replicate Request Thread-2] o.a.n.c.c.h.r.ThreadPoolRequestReplicator 
javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:284)
        at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:278)
        at org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:753)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:229)
        at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:414)
        at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:752)
        at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:661)
        at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:875)
        at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
        at java.util.concurrent.FutureTask.run(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
        at sun.security.ssl.Handshaker.processLoop(Unknown Source)
        at sun.security.ssl.Handshaker.process_record(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
        at java.net.HttpURLConnection.getResponseCode(Unknown Source)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
        at org.glassfish.jersey.client.internal.HttpUrlConnector._apply(HttpUrlConnector.java:390)
        at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:282)
        ... 14 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        ... 30 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        ... 36 common frames omitted

Is this normal behavior as we use self-signed certs? As I said, it occurs only once after a fresh start of my cluster. If I try to access the webpage again or do a refresh I can access the webgui and I can see the canvas.

If I check my browser and the SSL certifcate in the address field, then I see a complete successful cert chain without any error (of course I had to import the root CA cert into my browser).

openssl shows the public CA certs.

[root@nifi4-01 cluster]# openssl s_client -connect nifi4-01.bblab.ch:8443
CONNECTED(00000003)
depth=1 C = ch, O = Swisscom, OU = intern, CN = SwisscomCore
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=CH/ST=Bern/L=Worblaufen/O=Swisscom (Schweiz) AG/OU=LI/CN=*.bblab.ch
   i:/C=ch/O=Swisscom/OU=intern/CN=SwisscomCore
 1 s:/C=ch/O=Swisscom/OU=intern/CN=SwisscomCore
   i:/C=ch/O=Swisscom/OU=intern/CN=SwisscomCore
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGHzCCBQegAwIBAgITewAElqQv+iz+xs5HkgABAASWpDANBgkqhkiG9w0BAQsF
ADBIMQswCQYDVQQGEwJjaDERMA8GA1UEChMIU3dpc3Njb20xDzANBgNVBAsTBmlu
dGVybjEVMBMGA1UEAxMMU3dpc3Njb21Db3JlMB4XDTE4MDIwMTEwNDA0MVoXDTIx
MDEzMTEwNDA0MVowczELMAkGA1UEBhMCQ0gxDTALBgNVBAgTBEJlcm4xEzARBgNV
BAcTCldvcmJsYXVmZW4xHjAcBgNVBAoTFVN3aXNzY29tIChTY2h3ZWl6KSBBRzEL
MAkGA1UECxMCTEkxEzARBgNVBAMMCiouYmJsYWIuY2gwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCASdYU+Tx+6Z5IgKuaPk2LdLy34jYMoOwbnYI9Mgth
UzAc8eXXyxe82hM8yAd6svXL4K/t+Nn82y4HKEvkxCDTwrI0ZSE/TdLI0ddWyDyG
e8ErfaltSMmWoVPO93IwDVRZLz3KHlA5APWGzopvYkYNLL4s4Gm346t5X59efIZW
/cqFnR2e3jG00L722bvjIZrphq887BLAh8Ode/jmO+dpGgSgh6vLIqwFyUrRgL95
XF/uQYKH/lkaEq3JpMATYbeqX4ml2uACiHKQn4smnGZyxJ67XtEqVu4VMn3m5B8F
8E2c78uNuGnzE1DO28v5d0W4/MLm7OpzaTiW29mIs2uzAgMBAAGjggLVMIIC0TAd
BgNVHQ4EFgQUM+SzqbRHEw3xedTa+YoDkpdoEqswHwYDVR0jBBgwFoAUYEaL54+h
Y9HDkB8hymCAacZ7+70wggE3BgNVHR8EggEuMIIBKjCCASagggEioIIBHoaBs2xk
YXA6Ly8vQ049U3dpc3Njb21Db3JlLENOPVNTMDAyODQ1LENOPUNEUCxDTj1QdWJs
aWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u
LERDPWl0cm9vdCxEQz1uZXQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNl
P29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50hjhodHRwOi8vU1MwMDI4
NDUuY29ycHJvb3QubmV0L0NlcnRFbnJvbGwvU3dpc3Njb21Db3JlLmNybIYsaHR0
cDovL2NybGNvcmUuc3dpc3Njb20uY29tL1N3aXNzY29tQ29yZS5jcmwwgb0GCCsG
AQUFBwEBBIGwMIGtMIGqBggrBgEFBQcwAoaBnWxkYXA6Ly8vQ049U3dpc3Njb21D
b3JlLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNl
cyxDTj1Db25maWd1cmF0aW9uLERDPWl0cm9vdCxEQz1uZXQ/Y0FDZXJ0aWZpY2F0
ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwDgYDVR0P
AQH/BAQDAgWgMDwGCSsGAQQBgjcVBwQvMC0GJSsGAQQBgjcVCIHf/32BsfJfgYEi
g7v2TYKu6GYPhZ62VYbK4nECAWQCAR0wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwEwCgYIKwYBBQUHAwIw
DQYJKoZIhvcNAQELBQADggEBAHDmMNcko1+eRzqJS8IV95agKvhaXoXo9Xtb+81F
iDeELiPXg5CrRsY7i5rEdALHlN18ByuZ6wPLSk4LzuNR9qnv2DETJ3ImmiqEfKei
YiEzrOmh6A3nUEMC+ewZ/JoyKyVQCH5RMS0wuTUW4qPqGsvHEkKe5zsbW9KU+usq
3edaiDQY25/2h/J+b4t7JCMFV3lQDO6ipPcF2LzJ7qY+XdEH7RslfZty3vqM9njJ
Am7egRoUjHaMtaOV3gcOyK+XUpqPvR+WBrBu1NZKxJPqhwBeBC4AuvLNduudMsoq
mYMRdrGzkSg+XqIdYxf7awRZRY9m8GG3FbhqixG5E4p7xUk=
-----END CERTIFICATE-----
subject=/C=CH/ST=Bern/L=Worblaufen/O=Swisscom (Schweiz) AG/OU=LI/CN=*.bblab.ch
issuer=/C=ch/O=Swisscom/OU=intern/CN=SwisscomCore
---
Acceptable client certificate CA names
/DC=CH/DC=TAURI/CN=SwisscomDatacenterCore
/C=ch/O=Swisscom/OU=intern/CN=SwisscomCore
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3231 bytes and written 467 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-SHA256
    Session-ID: 5A746D0F81D6C506ABC23A8FCE0D518521CCCA3EDC03C93B4B30447C83AD6DCC
    Session-ID-ctx: 
    Master-Key: B6F3F4AC7C0626ECE3510AB233D2A01E642DD0B9235BDA46738C8D9BB1F104E5DDBFD2A9BD66032F544452F07E1226D5
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1517579535
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
^Xclosed

I just tried it with certificates generated by the nifi tls-toolkit, same behavior. I'm getting this error once after cluster restart. On NiFi 1.4 this wasn't the case.


screen-shot-2018-02-02-at-145411.png
6 REPLIES 6

avatar

@JZ

I'm facing similar error.

I am using Nifi 1.2.0. with HTTPS and LDAPS. Recently I have updated the certificated and started facing below error.

I can access Nifi webgui.

When I'm trying to copy files from Nifi gui to S3, I'm getting the below errors.

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
        ... 50 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
<br>

I have kept, cacert files in java path

/usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts<br>

and keystore/trustore files

/etc/nifi/3.0.1.1-5/0/keystore.jks

/etc/nifi/3.0.1.1-5/0/truststore.jks<br>

I not getting clear, where exactly valid certification path is located. If you know, please suggest.

avatar
Contributor

@Lawand Suraj: Certification Path is not a path on your disk, it is a problem with your certs within the keystore/truststore. Check my screenshot below.

72442-screen-shot-2018-04-25-at-080958.png

However my issue is still there.

avatar

@JZ

I have replaced keystore/truststore with below commands. Where Ab-ssl-sha2.cer is a certificate used to convert to keystore/truststore.

/usr/jdk64/jdk1.8.0_112/bin/keytool -import -file /home/Ab-ssl-sha2.cer -keystore /etc/nifi/3.0.1.1-5/0/keystore.jks -alias keystore_internal
/usr/jdk64/jdk1.8.0_112/bin/keytool -import -file /home/Ab-ssl-sha2.cer -keystore /etc/nifi/3.0.1.1-5/0/truststore.jks -alias truststore_internal

Can you please suggest, where need to do changes?

avatar
Contributor

sorry I can't help you with that. I have no knowledge about your certs and their certification path.

avatar

Hello,

Certificates were not created properly. I have compared another working certificate with this certificate and found mismatch.

I have verified certificate through openssl command and then I have copied required certificates from other working application server to issued one. Issue is resolved now but still unable find why below commands doesn't works on server

sudo /usr/jdk64/jdk1.8.0_112/bin/keytool -import -trustcacerts -noprompt -storepass xxxx -alias abc-sha2 -file /home/ec2-user/abc-sha2.cer -keystore /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts

avatar
New Contributor

Hi all  

 

WARN org.apache.hadoop.security.LdapGroupsMapping: Failed to get groups for user impala (retry=1) by javax.naming.CommunicationException: simple bind failed: ad.corporate:<port> [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

as we are seeing the above error message with Sentry Service on Cloudera 5.14 after applying new root and intermediate certificates. 

from error message it clearly says certificate is missing.  But which certificates is missing to debug the issue for java application do as below.  

for to debug the issue : 

we  added to sentry under Java Options configuration " -Djavax.net.debug=ssl "  and Examined the Sentry stdout.log from CM UI after the restart of affected services.

 

Therefore under stdout.log it says certificate is missing. Therefore we need to import required certificate to the truststore appropriately or use latest version truststore. 

Try to keep this flag until the issue resolves.. 

 

Hope this helps for someone. 

 

Thanks, 

PR