Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

PKIX path building failed

avatar
Contributor

 

I have installed Nifi locally and recieved the below error, could some one please let me know what need to be done. 

 

midee_0-1628763549997.jpeg

 

It would be great help if provided in detailed.

thanks!

1 ACCEPTED SOLUTION

avatar
Super Mentor

@midee 

 

Not a lot of details in your question here, but the exception:

SunCertPathBuilderException: unable to find valid certification path to requested target

is telling you that the trust could not be determined in the TLS handshake that occurred between client and server.

Essentially this means that yoru truststore did not contain all the necessary TrustedCertEntries.
The complete trust chain must exist in the truststore.

Lets say you have Certificate "cert-X" signed by Certificate Authority (CA) "CA-A".

Owner: CN=cert-X, OU=test
Issuer: CN=CA-A, OU=CA-intermediate

Then that CA "CA-A" was signed by another CA "CA-root"
Owner: CN=CA-A, OU=CA-intermediate
Issuer: CN=CA-root, OU=CA-root

Then the CA "CA-root" is signed by itself:
Owner: CN=CA-root, OU=CA-root
Issuer: CN=CA-root, OU=CA-root

So in order to trust the certificate CN=cert-X, OU=test, the truststore would need to contain the complete trust chain meaning it would need to have a TrustedCertEntry for both "CA-A" and "CA-root"

There may even be more CAs in that trust chain.  You need every public cert for each ca all the way to the root CA (owner and issuer the same) to have complete trust chain.

A mutual TLS handshake would require trust in both directions.
Clients certificate must be trusted by server and server's certificate must be trusted by client.

In a 1-way TLS handshake you only need trust in one direction.
Client must be able to trust server's certificate only since client would not be sending a certificate to the server.

If you found this response addressed yoru query, please take a moment to login and click "Accept as Solution".

Thank you,

Matt

View solution in original post

2 REPLIES 2

avatar
Super Mentor

@midee 

 

Not a lot of details in your question here, but the exception:

SunCertPathBuilderException: unable to find valid certification path to requested target

is telling you that the trust could not be determined in the TLS handshake that occurred between client and server.

Essentially this means that yoru truststore did not contain all the necessary TrustedCertEntries.
The complete trust chain must exist in the truststore.

Lets say you have Certificate "cert-X" signed by Certificate Authority (CA) "CA-A".

Owner: CN=cert-X, OU=test
Issuer: CN=CA-A, OU=CA-intermediate

Then that CA "CA-A" was signed by another CA "CA-root"
Owner: CN=CA-A, OU=CA-intermediate
Issuer: CN=CA-root, OU=CA-root

Then the CA "CA-root" is signed by itself:
Owner: CN=CA-root, OU=CA-root
Issuer: CN=CA-root, OU=CA-root

So in order to trust the certificate CN=cert-X, OU=test, the truststore would need to contain the complete trust chain meaning it would need to have a TrustedCertEntry for both "CA-A" and "CA-root"

There may even be more CAs in that trust chain.  You need every public cert for each ca all the way to the root CA (owner and issuer the same) to have complete trust chain.

A mutual TLS handshake would require trust in both directions.
Clients certificate must be trusted by server and server's certificate must be trusted by client.

In a 1-way TLS handshake you only need trust in one direction.
Client must be able to trust server's certificate only since client would not be sending a certificate to the server.

If you found this response addressed yoru query, please take a moment to login and click "Accept as Solution".

Thank you,

Matt

avatar
Community Manager

@midee Have you resolved your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. 

Screen Shot 2019-08-06 at 1.54.47 PM.png

 

 


Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.