Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Unable to connect to ldap server from nifi (unable to find valid certification path to requested target)

Unable to connect to ldap server from nifi (unable to find valid certification path to requested target)

New Contributor

I am trying to integrate ldap with my Apache Nifi Instance. When I try to connect, I get the following error:


org.springframework.security.authentication.InternalAuthenticationServiceException: Failed to negotiate TLS session; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)

at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)

at org.apache.nifi.ldap.LdapProvider.authenticate(LdapProvider.java:310)

at org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean$1.authenticate(LoginIdentityProviderFactoryBean.java:314)

at org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:728)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)

at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)

at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)

at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)

at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)

at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)

at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)

at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)

at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)

at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)

at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)

at org.glassfish.jersey.internal.Errors.process(Errors.java:316)

at org.glassfish.jersey.internal.Errors.process(Errors.java:298)

at org.glassfish.jersey.internal.Errors.process(Errors.java:268)

at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)

at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)

at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)

at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)

at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)

at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)

at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)

at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)

at org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)

at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)

at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)

at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634)

at org.apache.nifi.web.security.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:47)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.apache.nifi.web.server.JettyServer$2.doFilter(JettyServer.java:1048)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1317)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1219)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)

at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)

at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:724)

at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.Server.handle(Server.java:531)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)

at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:291)

at org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:151)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)

at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:132)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:762)

at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:680)

at java.lang.Thread.run(Thread.java:748)

Caused by: org.springframework.ldap.UncategorizedLdapException: Failed to negotiate TLS session; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy.processContextAfterCreation(AbstractTlsDirContextAuthenticationStrategy.java:153)

at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:142)

at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)

at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802)

at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:316)

at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:127)

at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:95)

at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:187)

... 81 common frames omitted

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)

at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:353)

at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:217)

at org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy.processContextAfterCreation(AbstractTlsDirContextAuthenticationStrategy.java:136)

... 88 common frames omitted

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)

at sun.security.validator.Validator.validate(Validator.java:262)

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)

... 98 common frames omitted

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)

... 104 common frames omitted



I have tried the below steps:

Fetch the certificate from server and add it to my truststore, but the same error persists.

Can someone please help.


keytool -J-Dhttps.proxyHost=******* -J-Dhttps.proxyPort=389 -printcert -rfc -sslserver oss.sonatype.org > sonatype.pem


sudo keytool -importcert -trustcacerts -file sonatype.pem -alias oss.sonatype.org -storepass ***** -keystore ~/Tools/nifi-1/conf/truststore.jks



Below is the ldap section in login-identity-providers.xml




<provider>

<identifier>ldap-provider</identifier>

<class>org.apache.nifi.ldap.LdapProvider</class>

<property name="Authentication Strategy">START_TLS</property>


<property name="Manager DN"></property>

<property name="Manager Password"></property>


<property name="TLS - Keystore">./conf/keystore.jks</property>

<property name="TLS - Keystore Password">******</property>

<property name="TLS - Keystore Type">jks</property>

<property name="TLS - Truststore">./conf/truststore.jks</property>

<property name="TLS - Truststore Password">******</property>

<property name="TLS - Truststore Type">jks</property>

<property name="TLS - Client Auth"></property>

<property name="TLS - Protocol">TLS</property>

<property name="TLS - Shutdown Gracefully"></property>

<property name="Referral Strategy">FOLLOW</property>

<property name="Connect Timeout">10 secs</property>

<property name="Read Timeout">10 secs</property>


<property name="Url">ldap:/***.home.test.com.:389</property>

<property name="User Search Base">dc=home,dc=test,dc=com</property>

<property name="User Search Filter">uid={0}</property>


<property name="Identity Strategy">USE_DN</property>

<property name="Authentication Expiration">12 hours</property>

</provider>



The above trust store and keystore are the ones generated by nifi toolkit.

I have added the server certificate in this truststore only.