Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Problem while using ConsumeIMAP processor

avatar
Explorer

Hello ,

 

Can anyone experienced issue while using ConsumeImap Processor for consuming messages from Secure Email server using Imap port 993.

 

We are getting below error

PKIX path building failed.

unable to find valid cerification path

 

Please write here if anyone faced issue like this.

 

Thanks and Regards

 

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Pr1 

 

While I am not an IMAP expert, the exception you are seeing here:

PKIX path building failed.

unable to find valid certification path


This is a TLS handshake exception telling you that the complete certificate trust chain does not exist in the keystore.  On the NiFi side the complete trust chain would found in the NiFi truststore.jks.  Note: If NiFi is not secured you may need to add the trust chain certs to the NiFI java's default cacerts keystore.

You can use openssl to get the complete trust chain for the IMAP server you are trying to consume from:

openssl s_client -connect <IMAP server>:<IMAP port> -showcerts


In the server hello response returned from the IMAP server using above command, you will see multiple certificates.  First certificate is the imap server's public certificate (you do not need this one).  You will need all the public certificates that follow that server certificate.  These will be your Signing CAs (there may be one or more in order of signing until you reach the rootCA). The rootCa is last and you will notice the owner and issuer DN is the same. Each certificate begins with:

-----BEGIN CERTIFICATE-----


and ends with:

-----END CERTIFICATE-----

 

So you want to copy each certificate including the above lines to separate files:
Eaxamples:
intermediate.pem, intermediate2.pem, rootCA.pem 

You can then use keytool to import these CAs in to your NiFi truststore.

keytool -importcert -alias <alias usually based off CN name for certiifcate> -file <certificate.pem> -keystore <truststore.jks or java cacerts> -trustcacerts

Note: each certificate imported must use a unique alias.

 

I recommend importing your certificates in the same order as they were listed in openssl response (importing the rootCA last).

Restart your NiFi so it loads the modified keystore.

Hope this helps resolve your trust chain issue,

Matt

View solution in original post

2 REPLIES 2

avatar
Master Mentor

@Pr1 

 

While I am not an IMAP expert, the exception you are seeing here:

PKIX path building failed.

unable to find valid certification path


This is a TLS handshake exception telling you that the complete certificate trust chain does not exist in the keystore.  On the NiFi side the complete trust chain would found in the NiFi truststore.jks.  Note: If NiFi is not secured you may need to add the trust chain certs to the NiFI java's default cacerts keystore.

You can use openssl to get the complete trust chain for the IMAP server you are trying to consume from:

openssl s_client -connect <IMAP server>:<IMAP port> -showcerts


In the server hello response returned from the IMAP server using above command, you will see multiple certificates.  First certificate is the imap server's public certificate (you do not need this one).  You will need all the public certificates that follow that server certificate.  These will be your Signing CAs (there may be one or more in order of signing until you reach the rootCA). The rootCa is last and you will notice the owner and issuer DN is the same. Each certificate begins with:

-----BEGIN CERTIFICATE-----


and ends with:

-----END CERTIFICATE-----

 

So you want to copy each certificate including the above lines to separate files:
Eaxamples:
intermediate.pem, intermediate2.pem, rootCA.pem 

You can then use keytool to import these CAs in to your NiFi truststore.

keytool -importcert -alias <alias usually based off CN name for certiifcate> -file <certificate.pem> -keystore <truststore.jks or java cacerts> -trustcacerts

Note: each certificate imported must use a unique alias.

 

I recommend importing your certificates in the same order as they were listed in openssl response (importing the rootCA last).

Restart your NiFi so it loads the modified keystore.

Hope this helps resolve your trust chain issue,

Matt

avatar
Explorer

Thanks for your reply. This solution worked.