I have multiple instances of nifi running and a central nifi registry is deployed. NiFi Registry is signed by an independent self-issued CA-signed certificate. I do have a copy of NiFi Registry's truststore and keystore inside my NiFi instance (Kubernetes Pod). And I have configured the registry client with my registry's internal k8s service URL and the associated SSL Context is referenced to the Registry's truststore and keystores. The SSL Context Controller enables fine (indicating the keystores are accessible and the passwords are correct) but then I get the following error message while trying to enable versioning on a process group: Unable to obtain listing of buckets: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target I checked the other topics on this forum and on other forums on the Internet and found that this could be an issue with the validity of the registry's server certificate. The registry's server certificate is not being trusted by NiFi because it's unable to find matches in the referenced truststore. I have tried verifying this manually from within the instance. I copied the registry's CA PEM certificate (the same one used while generating the registry's truststore and keystore)into the NiFi instance and verified the upstream registry server's certificate with the CA. I can confirm the server is accessible and the server certificates are valid. The truststore shouldn't be an issue and NiFi should be able to interact with the registry. nifi@nifikop-0-node:/opt/nifi/nifi-current$ openssl s_client -connect nifi-registry.dev.svc.cluster.local:18443 -showcerts -CAfile /tmp/ca-cert.pem CONNECTED(00000003) depth=1 CN = 3SCDemo-CA, OU = 3SCDemo verify return:1 depth=0 CN = nifi-registry, OU = 3SCDemo verify return:1 --- Certificate chain 0 s:CN = nifi-registry, OU = 3SCDemo i:CN = 3SCDemo-CA, OU = 3SCDemo a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 13 18:35:02 2025 GMT; NotAfter: Sep 13 18:35:02 2026 GMT -----BEGIN CERTIFICATE----- .... -----END CERTIFICATE----- --- Server certificate subject=CN = nifi-registry, OU = 3SCDemo issuer=CN = 3SCDemo-CA, OU = 3SCDemo --- Acceptable client certificate CA names CN = 3SCDemo-CA, OU = 3SCDemo CN = nifi-registry, OU = 3SCDemo Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+S HA512 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RS A-PSS+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1432 bytes and written 451 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: C84E2BFD44167DA371468E366F7E62CE8A2457A88A5FABADCEBA5A182CB29A28 Session-ID-ctx: Resumption PSK: 57C3C840AF40C97DCA5E3C86C67ECC5943711E6D1CFD439DDDCDD30F8A599A620D89F0591288E0F7102C5031C266EFBC PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 86400 (seconds) TLS session ticket: ..ticket... Start Time: 1760469262 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK   Ideally, I understand it should've worked. But I'm not sure where the issue lies.. ... View more