Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

PKIX path building failed

Labels:
avatar
author-rank midee
Contributor

Created ‎08-12-2021 03:19 AM

 

I have installed Nifi locally and recieved the below error, could some one please let me know what need to be done. 

 

midee_0-1628763549997.jpeg

 

It would be great help if provided in detailed.

thanks!

3,055 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎08-13-2021 08:06 AM

@midee 

 

Not a lot of details in your question here, but the exception:

SunCertPathBuilderException: unable to find valid certification path to requested target

is telling you that the trust could not be determined in the TLS handshake that occurred between client and server.

Essentially this means that yoru truststore did not contain all the necessary TrustedCertEntries.
The complete trust chain must exist in the truststore.

Lets say you have Certificate "cert-X" signed by Certificate Authority (CA) "CA-A".

Owner: CN=cert-X, OU=test
Issuer: CN=CA-A, OU=CA-intermediate

Then that CA "CA-A" was signed by another CA "CA-root"
Owner: CN=CA-A, OU=CA-intermediate
Issuer: CN=CA-root, OU=CA-root

Then the CA "CA-root" is signed by itself:
Owner: CN=CA-root, OU=CA-root
Issuer: CN=CA-root, OU=CA-root

So in order to trust the certificate CN=cert-X, OU=test, the truststore would need to contain the complete trust chain meaning it would need to have a TrustedCertEntry for both "CA-A" and "CA-root"

There may even be more CAs in that trust chain.  You need every public cert for each ca all the way to the root CA (owner and issuer the same) to have complete trust chain.

A mutual TLS handshake would require trust in both directions.
Clients certificate must be trusted by server and server's certificate must be trusted by client.

In a 1-way TLS handshake you only need trust in one direction.
Client must be able to trust server's certificate only since client would not be sending a certificate to the server.

If you found this response addressed yoru query, please take a moment to login and click "Accept as Solution".

Thank you,

Matt

View solution in original post

3,034 Views
0 Kudos
2 REPLIES 2

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎08-13-2021 08:06 AM

@midee 

 

Not a lot of details in your question here, but the exception:

SunCertPathBuilderException: unable to find valid certification path to requested target

is telling you that the trust could not be determined in the TLS handshake that occurred between client and server.

Essentially this means that yoru truststore did not contain all the necessary TrustedCertEntries.
The complete trust chain must exist in the truststore.

Lets say you have Certificate "cert-X" signed by Certificate Authority (CA) "CA-A".

Owner: CN=cert-X, OU=test
Issuer: CN=CA-A, OU=CA-intermediate

Then that CA "CA-A" was signed by another CA "CA-root"
Owner: CN=CA-A, OU=CA-intermediate
Issuer: CN=CA-root, OU=CA-root

Then the CA "CA-root" is signed by itself:
Owner: CN=CA-root, OU=CA-root
Issuer: CN=CA-root, OU=CA-root

So in order to trust the certificate CN=cert-X, OU=test, the truststore would need to contain the complete trust chain meaning it would need to have a TrustedCertEntry for both "CA-A" and "CA-root"

There may even be more CAs in that trust chain.  You need every public cert for each ca all the way to the root CA (owner and issuer the same) to have complete trust chain.

A mutual TLS handshake would require trust in both directions.
Clients certificate must be trusted by server and server's certificate must be trusted by client.

In a 1-way TLS handshake you only need trust in one direction.
Client must be able to trust server's certificate only since client would not be sending a certificate to the server.

If you found this response addressed yoru query, please take a moment to login and click "Accept as Solution".

Thank you,

Matt

3,035 Views
0 Kudos

avatar
author-rank cjervis author-rank
Community Manager

Created ‎08-19-2021 01:41 PM

@midee Have you resolved your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. 

Screen Shot 2019-08-06 at 1.54.47 PM.png

 

 


Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
3,001 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements