Created on 01-08-2024 03:50 AM - edited 01-08-2024 03:51 AM
[begin_log]2024-01-08 18:57:00,406+0800|ERROR|pool-47-thread-1|o.s.s.s.TaskUtils$LoggingErrorHandler|Unexpected error occurred in scheduled task
org.springframework.web.client.HttpServerErrorException$InternalServerError: 500 Internal Server Error: "javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown"
at org.springframework.web.client.HttpServerErrorException.create(HttpServerErrorException.java:100)
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:170)
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:122)
at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63)
at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:825)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:783)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:717)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:608)
at com.orchsym.trace.alerts.api.timer.Timer.getBulletinBoardDTO(Timer.java:162)
at com.orchsym.trace.alerts.api.timer.Timer.getBulletinBoard(Timer.java:97)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:84)
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54)
at org.springframework.scheduling.concurrent.ReschedulingRunnable.run(ReschedulingRunnable.java:95)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Created 01-08-2024 06:06 AM
@JamesZhang
I feel there are a lot of details missing here that may help you get a better response.
I see you added the "Apache NiFi" label, so assuming you are seeing this exception some how related to NiFi?
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
Above is telling you that you have some TLS exchange issue related to some certificates somewhere. I am assuming the verbose output you shared is for the keystore configured in your NiFi's nifi.properties file?
With and TLS exchange there is a client and a server side of that exchange and the keystore and truststores on both side of that exchange along with the type of TLS exchange (TLS or MutualTLS) matters.
Initial questions;
1. Where are you seeing this exception? What action is being performed when the exception occurs?
2. What TLS exchange is failing as a result of it?
Thank you,
Matt
Created 01-08-2024 06:56 AM
When I was accessing the nifi and cut the login he gave me Received fatal alert: certificate_unknown
Created 01-08-2024 06:55 AM
I set up a two node nifi cluster. and https and username and password authentication is enabled.
When I was accessing the nifi and cut the login he gave me Received fatal alert: certificate_unknown
Created 01-08-2024 06:58 AM
Created 01-08-2024 09:19 AM
@JamesZhang
Not sure what "cut the login" means in your response.
When you access the NiFI URL, are you being redirected to the NiFi login window or do you encounter the unknown certificate exception immediately?
Where did you get the certificates you are using?
Did you add the Certificate Authority CA trust chain public certificates to the list of trusted authorities in the browser you are using to connect to NiFi?
Thanks,
Matt
Created 01-08-2024 07:34 PM
It was after I logged in that the problem occurred.
Created 01-08-2024 07:00 AM
2024-01-08 22:59:04,191 DEBUG [Replicate Request Thread-5] o.a.n.c.c.h.r.o.OkHttpReplicationClient Replicating request OkHttpPreparedRequest[method=GET, headers={sec-fetch-site=same-origin, X-Request-ID=cefa0de909293ecff62ec11a567a7bf5, purpose=prefetch, User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, Accept-Encoding=gzip, deflate, br, locale=zh, sec-ch-ua-mobile=?0, X-ProxiedEntitiesChain=<admin@orchsym.com>, Content-Encoding=gzip, X-RequestTransactionId=46b8f4dd-346d-4969-b013-0318b425a5e8, X-Real-IP=172.18.153.98, sec-fetch-mode=cors, Cookie=INGRESSCOOKIE=1704456109.379.3262.11429|138638da7f02469ffa15ce137684f175; authMode=token; oidc-request-rfid=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1MHlDcUI4MlVQMV9NS3B3aUljLVhXQmNNUWxybkJPLUM4dmdJZnUxUmFvIn0.eyJqdGkiOiI3NTI1MDJhMy04YjIyLTQzNDAtOThlMC1hYzY3YmY5MzBhNDciLCJleHAiOjE3MDQ3NjE1MDEsIm5iZiI6MCwiaWF0IjoxNzA0NzI1NTAxLCJpc3MiOiJodHRwczovLzE3Mi4xOC4xNTcuMjM1OjgyODMvYXV0aC9yZWFsbXMvYmFpc2hhbmNsb3VkIiwiYXVkIjoicnVudGltZS1rdWJlIiwic3ViIjoiMDczNzNlNDMtNmY2NC00ZDlhLTg1ZDQtZWRkNTA2NjJkNjIwIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InJ1bnRpbWUta3ViZSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjkxMDAyZDUyLTczNzEtNGJmYy04NTU2LWVkNDEzYjg0OTM1NCIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSJ9.AXI1uDJV629yce--7C_hIeKUdpSjkIWaeqm4_Ove_IMz4oMroPIYCBvKiF_XZ1u46uSxhGMz0DN5zhx3UwgYjo7OcofW6HtNolAgaCcfQU2rK_rMtb1VX3DfUAe6spyg0RwU6o08-5bRtd8vfH9S7ASIMO6dA3wD_o9bXlWGI7i4V2_mm-rnvm7qmC1e10xefu7Qhcq3g6dHh0tJcY6jFDNTBGS3qG9lME4y0E6FgrxlIr9vNtEqOIVHAa2MDLtXnJJnn9SHTBERsx-2T7wWmLKr_d_p3Cj62MvJeFEPMaPlZ3DANWx32dip4R9Y55DlzivEyAxSAyMm__QEFNPiXg, Accept=*/*, X-Forwarded-Host=runtime.irybd.com, X-Forwarded-Proto=https, Referer=https://runtime.irybd.com/runtime, X-Forwarded-Port=443, sec-ch-ua="Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120", X-ProxyHost=runtime.irybd.com, sec-ch-ua-platform="macOS", X-Forwarded-For=172.18.153.98, Accept-Language=en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7, X-Forwarded-Scheme=https, X-Scheme=https, sec-purpose=prefetch;prerender, sec-fetch-dest=empty}] to https://runtime-1.runtime-statefulset.default.svc.cluster.local:443/nifi-api/flow/current-user
2024-01-08 22:59:04,219 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to runtime-1.runtime-statefulset.default.svc.cluster.local:443 due to javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
2024-01-08 22:59:04,219 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to runtime-1.runtime-statefulset.default.svc.cluster.local:443 due to javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
2024-01-08 22:59:04,219 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1779)
at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124)
at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1156)
at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1266)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1178)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
at okhttp3.RealCall.execute(RealCall.java:81)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:122)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:116)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:629)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:821)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
2024-01-08 22:59:04,219 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1779)
at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124)
at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1156)
at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1266)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1178)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
at okhttp3.RealCall.execute(RealCall.java:81)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:122)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:116)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:629)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:821)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Created 01-08-2024 12:30 PM
@JamesZhang
What is the verbose output for your configured truststore?
Does it contain the TrustedCertEntry for your Certificate Authority (CA) that signed the PrivateKey in your keystore?
The keystore you shared has:
DNSName: runtime-0.runtime-statefulset.default.svc.cluster.local
The log output you shared is failing on the mutualTLS handshake with another node in your NiFi cluster when the request to get current user is replicated to all nodes in your NiFi cluster.
runtime-1.runtime-statefulset.default.svc.cluster.local
All inter node communication require successful mutualTLS exchanges.
Did you create a separate certificate for the other node? Is it signed by same CA?
If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created 01-08-2024 07:31 PM
Yes, all other nodes are issued with the same CA certificate.
Here are the details of my certificate:
runtime-0 node: