Support Questions

jai1gupta · ‎10-31-2023

Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://accounts.google.com/.well-known/openid-configuration": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;

this is error which im getting

my nifi.properties file is as follows :-

nifi.security.autoreload.enabled=false

nifi.security.autoreload.interval=10 secs

nifi.security.keystore=./conf/keystore.jks

nifi.security.keystoreType=jks

nifi.security.keystorePasswd=tyiImfLpqM5/qX1l0VsjK7sxhQx5YZFOZgstogGz8Ek

nifi.security.keyPasswd=tyiImfLpqM5/qX1l0VsjK7sxhQx5YZFOZgstogGz8Ek

nifi.security.truststore=./conf/truststore.jks

nifi.security.truststoreType=jks

nifi.security.truststorePasswd=vFF0nH+45S5ESohcQsH37s/bqJ/Kmy5RiHpL+ZWo2VU

nifi.security.user.authorizer=managed-authorizer

nifi.security.allow.anonymous.authentication=false

nifi.security.user.login.identity.provider=

nifi.security.user.jws.key.rotation.period=PT1H

nifi.security.ocsp.responder.url=

nifi.security.ocsp.responder.certificate=

# OpenId Connect SSO Properties #

nifi.security.user.oidc.discovery.url=https://accounts.google.com/.well-known/openid-configuration

nifi.security.user.oidc.connect.timeout=5 secs

nifi.security.user.oidc.read.timeout=5 secs

nifi.security.user.oidc.client.id=/*my generated client id*/

nifi.security.user.oidc.client.secret=/*my generated client secret*/

nifi.security.user.oidc.preferred.jwsalgorithm=

nifi.security.user.oidc.additional.scopes=offline_access

nifi.security.user.oidc.claim.identifying.user=

nifi.security.user.oidc.fallback.claims.identifying.user=

nifi.security.user.oidc.claim.groups=groups

nifi.security.user.oidc.truststore.strategy=JDK

nifi.security.user.oidc.token.refresh.window=60 secs

authorizers.xml is as follows:-

<identifier>file-user-group-provider</identifier>

<class>org.apache.nifi.authorization.FileUserGroupProvider</class>

<property name="Users File">./conf/users.xml</property>

<property name="Initial User Identity 1">myemailID@gmail.c</property>

</userGroupProvider>

<identifier>file-access-policy-provider</identifier>

<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>

<property name="User Group Provider">file-user-group-provider</property>

<property name="Authorizations File">./conf/authorizations.xml</property>

<property name="Initial Admin Identity">myemailID@gmail.com</property>

</accessPolicyProvider>

<identifier>managed-authorizer</identifier>

<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>

<property name="Access Policy Provider">file-access-policy-provider</property>

</authorizer>

i also added cerficate for accounts.google.com in /conf/truststore.jks and cacerts in JRE and i'm still getting the same error.

this is google api console setup as of now

i'm trying to follow this article https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect

please help me in fixing this issue. Thanks and Regards.

MattWho · ‎11-02-2023

@jai1gupta

What makes you think your NiFi is not secured over https?
You did not share your nifi.properties web properties.
If you have set the following properties:

nifi.web.https.host=<hostname>
nifi.web.https.port=<port>

and have configured the NiFi keystore and truststore properties (which you did share), the your NiFi would have started at logged url being available over HTTPS://<hostname>:<port>/nifi

My guess is your issue probably extends from the use of "localhost" instead of an actual resolvable hostname.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

jai1gupta · ‎10-31-2023

@MattWho @SAMSAL @cotopaul

MattWho · ‎10-31-2023

@jai1gupta

The exception:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This indicates a trust chain issue in your TLS exchange with accounts.google.com. A complete trust chain requires all know public certs between certificate that signed for accounts.google.com --> intermediate CA(s) --> rootCA (owner and issuer same DN).

Your configuration shows that the oidc authentication client configuration is set to:

nifi.security.user.oidc.truststore.strategy=JDK

HTTPS Certificate Trust Store Strategy defines the source of certificate authorities that NiFi uses when communicating with the OpenID Connect Provider. The value of JDK uses the Java platform default configuration stored in cacerts under the Java Home directory. The value of NIFI enables using the trust store configured in the nifi.security.truststore property. The default value is JDK

This means that the Java version you have installed that NiFi is using is missing some trustedCertEntries from the trust chain for accounts.google.com.

Google makes all its public root and intermediate certificates available for download here:
https://pki.goog/repository/#:~:text=Download%20CA%20certificates

You'll want to download all these (pem files) and add any that are missing from your Java's cacerts truststore file. While you can use the following openssl command to get all the public certs in the chain, you may find at times you get redirected to a different accounts.google.com server with a different trust chain. So I recommend downloading all instead of just those returned by the openssl command:

openssl s_client -connect accounts.google.com:443 -showcerts

Restart your NiFi and this trust issue should be gone.

I am confused why your google console setup is using http instead of https urls for your NiFi? NiFi will not support authentication and authorization unless it is secured over https.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

jai1gupta · ‎11-02-2023

@MattWho

after changing the nifi.security.user.oidc.truststore.strategy to NIFI my error got resolved. now when i access the nifi on browser i get this error

i think this error is because my nifi is not secured over https.

i've already ran this command

please tell me what can i do next to make it secured. Thanks

MattWho · ‎11-02-2023

@jai1gupta

What makes you think your NiFi is not secured over https?
You did not share your nifi.properties web properties.
If you have set the following properties:

nifi.web.https.host=<hostname>
nifi.web.https.port=<port>

and have configured the NiFi keystore and truststore properties (which you did share), the your NiFi would have started at logged url being available over HTTPS://<hostname>:<port>/nifi

My guess is your issue probably extends from the use of "localhost" instead of an actual resolvable hostname.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Cloudera Community

Support Questions

trying to authenticate nifi with openID using google oAuth and getting an error.