Member since
10-14-2025
5
Posts
0
Kudos Received
0
Solutions
10-30-2025
12:36 AM
yes. I am using 'https' to reach the registry. I found out my registry's certificates really don't have the ExtendedKeyUsage Extensions. I will try recreating new certificates with the extensions and will get back. Also, since I'm using LDAP to secure my Registry, I had set clientAuth to false. Will that not interfere while NiFi is trying to connect to the registry since we are using mTLS in this case and not LDAP credentials for authentication? So, is it mandatory that I configure a composite user group (filebased and LDAP) in my registry's authorizers for authentication?
... View more
10-29-2025
02:55 AM
Please find my verbose keytool output for both my keystore and truststore of my NiFi Registry. The same keystore and truststores were copied over to my NiFi instances (via 'kubectl cp' utilities) and have been referenced via SSL Context nifi@nifi-registry-0:/opt/certs$ keytool -v -list -keystore nifi-registry-keystore.jks Enter keystore password: Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 1 entry Alias name: nifi-registry Creation date: Sep 13, 2025 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: OU=3SCDemo, CN=nifi-registry Issuer: OU=3SCDemo, CN=3SCDemo-CA Serial number: 4c6bdbce9df169456145d320bd438808765291b Valid from: Sat Sep 13 18:35:02 UTC 2025 until: Sun Sep 13 18:35:02 UTC 2026 Certificate fingerprints: <fingerprints> Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 1 ******************************************* ******************************************* nifi@nifi-registry-0:/opt/certs$ keytool -v -list -keystore nifi-registry-truststore.jks Enter keystore password: Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 2 entries Alias name: ca-cert Creation date: Oct 29, 2025 Entry type: trustedCertEntry Owner: OU=3SCDemo, CN=3SCDemo-CA Issuer: OU=3SCDemo, CN=3SCDemo-CA Serial number: 429a23e0a595c4721f6f7f0933e69ebcca616027 Valid from: Sat Sep 13 18:35:02 UTC 2025 until: Sun Sep 13 18:35:02 UTC 2026 Certificate fingerprints: <fingerprints> Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ .. ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen: no limit ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ .. ] ******************************************* ******************************************* Alias name: nifi-registry Creation date: Oct 29, 2025 Entry type: trustedCertEntry Owner: OU=3SCDemo, CN=nifi-registry Issuer: OU=3SCDemo, CN=3SCDemo-CA Serial number: 4c6bdbce9df169456145d320bd438808765291b Valid from: Sat Sep 13 18:35:02 UTC 2025 until: Sun Sep 13 18:35:02 UTC 2026 Certificate fingerprints: <fingerprints> Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 1 ******************************************* ******************************************* In essence, NiFi Registry is essentially not recognizing certificates being presented from its own keystores and truststores via NiFi's SSL Context services
... View more
10-23-2025
11:55 PM
@MattWho Thank you for the response. I'm on a single node nifi setup. As you suggested, I tried verifying my certificates the other way round i.e. NiFi Node's server certificates from my NiFi Registry. As expected, it didn't verify succesfully. As I had previously mentioned, my NiFi Nodes are being signed by cert manager and I'm using a self signed central nifi registry to connect from different single-node NiFi Clusters. I have attached an illustration of my setup below. Since my NiFi Nodes are connecting from different environments and the fact that I use different cert-manager deployments to sign the certs for the respective Nodes, how can i connect to the registry without having to update the registry's truststore everytime I need to spin up a new nifi cluster in a new environment. If I understand this correctly, the SSL context management controller is supposed to exactly solve this kind of problem right? The SSL Context in my NiFi Node(s) should contain the paths to the keystore and the truststore of my NiFi Registry, on the NiFi Node's local filesystem, isn't it? If I had multiple registries to connect to, I could simply similarly configure additional SSL Contexts for the respective registries in NiFi's management controller services isn't it? Please correct me if I'm wrong..
... View more
10-16-2025
08:57 PM
Thank you for the quick reply @vafs ! As I have mentioned above, the truststore that I've referenced belongs to the NiFi Registry. I had copied the truststore from my NiFi Registry instance into my NiFi instance to eliminate any certificate mismatches. But yet it didn't work. I however tried reimporting the ca certificate into the truststore as you suggested, but I still encounter the same issue while trying to version my flows nifi@nifikop-0-node:/opt/nifi/nifi-current$ keytool -importcert -alias 3SCDemo-CA -file /tmp/ca-cert.pem -keystore /tmp/nifi-registry-truststore.jks Enter keystore password: Certificate already exists in keystore under alias <ca-cert> Do you still want to add it? [no]: yes Certificate was added to keystore nifi@nifikop-0-node:/opt/nifi/nifi-current$
... View more
10-14-2025
12:37 PM
I have multiple instances of nifi running and a central nifi registry is deployed. NiFi Registry is signed by an independent self-issued CA-signed certificate. I do have a copy of NiFi Registry's truststore and keystore inside my NiFi instance (Kubernetes Pod). And I have configured the registry client with my registry's internal k8s service URL and the associated SSL Context is referenced to the Registry's truststore and keystores. The SSL Context Controller enables fine (indicating the keystores are accessible and the passwords are correct) but then I get the following error message while trying to enable versioning on a process group: Unable to obtain listing of buckets: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target I checked the other topics on this forum and on other forums on the Internet and found that this could be an issue with the validity of the registry's server certificate. The registry's server certificate is not being trusted by NiFi because it's unable to find matches in the referenced truststore. I have tried verifying this manually from within the instance. I copied the registry's CA PEM certificate (the same one used while generating the registry's truststore and keystore)into the NiFi instance and verified the upstream registry server's certificate with the CA. I can confirm the server is accessible and the server certificates are valid. The truststore shouldn't be an issue and NiFi should be able to interact with the registry. nifi@nifikop-0-node:/opt/nifi/nifi-current$ openssl s_client -connect nifi-registry.dev.svc.cluster.local:18443 -showcerts -CAfile /tmp/ca-cert.pem
CONNECTED(00000003)
depth=1 CN = 3SCDemo-CA, OU = 3SCDemo
verify return:1
depth=0 CN = nifi-registry, OU = 3SCDemo
verify return:1
---
Certificate chain
0 s:CN = nifi-registry, OU = 3SCDemo
i:CN = 3SCDemo-CA, OU = 3SCDemo
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 13 18:35:02 2025 GMT; NotAfter: Sep 13 18:35:02 2026 GMT
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
---
Server certificate
subject=CN = nifi-registry, OU = 3SCDemo
issuer=CN = 3SCDemo-CA, OU = 3SCDemo
---
Acceptable client certificate CA names
CN = 3SCDemo-CA, OU = 3SCDemo
CN = nifi-registry, OU = 3SCDemo
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+S
HA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RS
A-PSS+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1432 bytes and written 451 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: C84E2BFD44167DA371468E366F7E62CE8A2457A88A5FABADCEBA5A182CB29A28
Session-ID-ctx:
Resumption PSK: 57C3C840AF40C97DCA5E3C86C67ECC5943711E6D1CFD439DDDCDD30F8A599A620D89F0591288E0F7102C5031C266EFBC
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
..ticket...
Start Time: 1760469262
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK Ideally, I understand it should've worked. But I'm not sure where the issue lies..
... View more
- Tags:
- connection
- nifikop
Labels:
- Labels:
-
Apache NiFi
-
NiFi Registry