Support Questions

Find answers, ask questions, and share your expertise

Nifi CLI PKIX path building failed

avatar
New Contributor

Hi ,

 

getting this error while connecting with secured nifi instance.

I tried adding certs to Keystore of java.

 

 

/bin/cli.sh nifi current-user -p nifi.properties

ERROR: Error executing command 'current-user' : PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

2 REPLIES 2

avatar
Master Mentor

@shuhaib3 

The nifi.properties file is not the correct file to pass to the "-p" option for the NiFi Toolkit cli.sh.  The "-p" expects you to pass a properties file you build with specific properties in it.
For example:

 baseUrl=https://<target node hostname>:<target node port>
 keystore=/path/to/keystore.jks
 keystoreType=JKS
 keystorePasswd=changeme
 keyPasswd=changeme
 truststore=/path/to/truststore.jks
 truststoreType=JKS
 truststorePasswd=changeme
 proxiedEntity=nifiadmin

The nifi.properties will not include these exact property names and include other properties not used by cli.sh.

The following exception:

ERROR: Error executing command 'current-user' : PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

indicates a trust chain issue between client (cli.sh) and server (target NiFi). This means that the truststore is missing one or more TrustedCertEntry for the PrivateKeyEntry presented from the keystore in the mutual TLS handshake.

Essentially the client initiates a connection to the server.  The server responds with its serverAuth certificate along with a list of trusted authorities (TrustedCertEntry entries) from servers truststore.  Every certificate private (PrivateKeyEntry) or public (TrustedCertEntry) has an owner (certificates distinguished name (DN)) and issuer (Distinguished name (DN) of signer of that certificate). The client looks at the issuer of the sever's certificate and checks it's truststore for a certificate owner with that same DN.  If found it checks the issuer of that certificate to see if issuer and owner have same DN (self signed).  If not the same, it looks again for a certificate with an owner matching that issuer DN.  This continues until finds the root signing certificate (root certificate will have same issuer and owner).  This compete chain of certificate authorities is known as the trust chain.   If the complete trust chain is missing you get above exception.

Same can happen in the other direction.  Assume above is successful, then the client returns its clientAuth certifcate (keystore) to the server to authorize who the client is.  The server (NiFi node) will verify trust in the same way using the truststore on the server side.  So the complete trust chain for that client certificate must also exist on the server side.   If complete trust chain exist here as well, the mutual TLS handshake can be successful.

You can manually inspect the contents of your client and server side keystores and truststore files using the java keytool command.

<path to java>/keytool -v -list -keystore <keystore or truststore> 

 

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

avatar
Community Manager

@shuhaib3 Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks!


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community: