@Pr1
While I am not an IMAP expert, the exception you are seeing here:
PKIX path building failed.
unable to find valid certification path
This is a TLS handshake exception telling you that the complete certificate trust chain does not exist in the keystore. On the NiFi side the complete trust chain would found in the NiFi truststore.jks. Note: If NiFi is not secured you may need to add the trust chain certs to the NiFI java's default cacerts keystore.
You can use openssl to get the complete trust chain for the IMAP server you are trying to consume from:
openssl s_client -connect <IMAP server>:<IMAP port> -showcerts
In the server hello response returned from the IMAP server using above command, you will see multiple certificates. First certificate is the imap server's public certificate (you do not need this one). You will need all the public certificates that follow that server certificate. These will be your Signing CAs (there may be one or more in order of signing until you reach the rootCA). The rootCa is last and you will notice the owner and issuer DN is the same. Each certificate begins with:
-----BEGIN CERTIFICATE-----
and ends with:
-----END CERTIFICATE-----
So you want to copy each certificate including the above lines to separate files:
Eaxamples:
intermediate.pem, intermediate2.pem, rootCA.pem
You can then use keytool to import these CAs in to your NiFi truststore.
keytool -importcert -alias <alias usually based off CN name for certiifcate> -file <certificate.pem> -keystore <truststore.jks or java cacerts> -trustcacerts
Note: each certificate imported must use a unique alias.
I recommend importing your certificates in the same order as they were listed in openssl response (importing the rootCA last).
Restart your NiFi so it loads the modified keystore.
Hope this helps resolve your trust chain issue,
Matt
