Support Questions
Find answers, ask questions, and share your expertise

Unable to connect to ldap server from nifi (unable to find valid certification path to requested target)

Explorer

I am trying to integrate ldap with my Apache Nifi Instance. When I try to connect, I get the following error:


org.springframework.security.authentication.InternalAuthenticationServiceException: Failed to negotiate TLS session; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)

at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)

at org.apache.nifi.ldap.LdapProvider.authenticate(LdapProvider.java:310)

at org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean$1.authenticate(LoginIdentityProviderFactoryBean.java:314)

at org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:728)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)

at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)

at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)

at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)

at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)

at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)

at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)

at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)

at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)

at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)

at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)

at org.glassfish.jersey.internal.Errors.process(Errors.java:316)

at org.glassfish.jersey.internal.Errors.process(Errors.java:298)

at org.glassfish.jersey.internal.Errors.process(Errors.java:268)

at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)

at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)

at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)

at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)

at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)

at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)

at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)

at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)

at org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)

at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)

at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)

at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634)

at org.apache.nifi.web.security.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:47)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.apache.nifi.web.server.JettyServer$2.doFilter(JettyServer.java:1048)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1317)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1219)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)

at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)

at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:724)

at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.Server.handle(Server.java:531)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)

at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:291)

at org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:151)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)

at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:132)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:762)

at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:680)

at java.lang.Thread.run(Thread.java:748)

Caused by: org.springframework.ldap.UncategorizedLdapException: Failed to negotiate TLS session; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy.processContextAfterCreation(AbstractTlsDirContextAuthenticationStrategy.java:153)

at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:142)

at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)

at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802)

at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:316)

at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:127)

at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:95)

at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:187)

... 81 common frames omitted

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)

at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:353)

at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:217)

at org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy.processContextAfterCreation(AbstractTlsDirContextAuthenticationStrategy.java:136)

... 88 common frames omitted

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)

at sun.security.validator.Validator.validate(Validator.java:262)

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)

... 98 common frames omitted

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)

... 104 common frames omitted



I have tried the below steps:

Fetch the certificate from server and add it to my truststore, but the same error persists.

Can someone please help.


keytool -J-Dhttps.proxyHost=******* -J-Dhttps.proxyPort=389 -printcert -rfc -sslserver oss.sonatype.org > sonatype.pem


sudo keytool -importcert -trustcacerts -file sonatype.pem -alias oss.sonatype.org -storepass ***** -keystore ~/Tools/nifi-1/conf/truststore.jks



Below is the ldap section in login-identity-providers.xml




<provider>

<identifier>ldap-provider</identifier>

<class>org.apache.nifi.ldap.LdapProvider</class>

<property name="Authentication Strategy">START_TLS</property>


<property name="Manager DN"></property>

<property name="Manager Password"></property>


<property name="TLS - Keystore">./conf/keystore.jks</property>

<property name="TLS - Keystore Password">******</property>

<property name="TLS - Keystore Type">jks</property>

<property name="TLS - Truststore">./conf/truststore.jks</property>

<property name="TLS - Truststore Password">******</property>

<property name="TLS - Truststore Type">jks</property>

<property name="TLS - Client Auth"></property>

<property name="TLS - Protocol">TLS</property>

<property name="TLS - Shutdown Gracefully"></property>

<property name="Referral Strategy">FOLLOW</property>

<property name="Connect Timeout">10 secs</property>

<property name="Read Timeout">10 secs</property>


<property name="Url">ldap:/***.home.test.com.:389</property>

<property name="User Search Base">dc=home,dc=test,dc=com</property>

<property name="User Search Filter">uid={0}</property>


<property name="Identity Strategy">USE_DN</property>

<property name="Authentication Expiration">12 hours</property>

</provider>



The above trust store and keystore are the ones generated by nifi toolkit.

I have added the server certificate in this truststore only.