Hi Erik, I was able to use v1.7.0 and v1.8.0 NiFi versions of InvokeHTTP to access wildcard CNs. I was not able to reproduce your error. The test configuration I used was a wildcard CN of CN=*.natohorton.com self signed certificate in a JKS, with a simple hosted 'Hello World' HTTPS page using Flask. I then pointed the StandardSSLContextService in NiFi to this JKS as the truststore and pointed InvokeHTTP to https://test.natohorton.com:5000. The InvokeHTTP was able to retrieve the page. Are you able to provide more details about your error for me to replicate? As far as using the OS to handle more operations, my impression would be that the design is such that it can be cross-platform, portable and avoid compatibility issues with underlying operating system changes. It should also be higher performance by directly using Java interfaces rather than frequently making calls to external processes. NiFi was intended to handle large data volumes in a performant manner, extensible, cross-compatible with multiple operating systems whilst also providing a simple user interface for users with a wide spread of technical skills. That combination of requirements likely restricted the design from making more use of existing operating system utilities like curl. Someone else might be able to comment more about those design decisions. Thanks, Nathan ... View more

Very cool! Great diagrams too 🙂 ... View more

Hi @Erik Anderson You have a few options. You can use the standard JDK cacerts file which is already in the JKS format. Simply configure the SSLContextService to use the Java default cacerts file as the truststore. This is located in various locations for different operating systems. My guess is you're using Redhat so it may be at /etc/pki/java/cacerts. For Mac it was /Library/Java/JavaVirtualMachines/jdk1.8.0_172.jdk/Contents/Home/jre/lib/security/cacerts. I wasn't able to get hold of the same ca-bundle.trust.crt you are using to test it out. If it's a PEM format, you can try using this utility to convert a multi-part PEM into a JKS: https://github.com/use-sparingly/keyutil. I did the following: wget https://curl.haxx.se/ca/cacert.pem wget https://github.com/use-sparingly/keyutil/releases/download/0.4.0/keyutil-0.4.0.jar java -jar keyutil-0.4.0.jar -i --new-keystore myTrustStore.jks --password changeit --import-pem-file cacert-2018-10-17.pem and then pointed my SSLContextService at the myTrustStore.jks. I was then able to pull down content from HTTPS sites. Note that I did not verify what CAs were contained in the haxx.se/ca/cacert.pem so I would verify that before using it on your own server. You can also try using InvokeHTTP which has more advanced functionality than GetHTTP. Let me know if this helps. ... View more

You should be able to import the Java ca-bundle into NiFi's truststore using: keytool -importkeystore -srckeystore /usr/share/pki/ca-trust-source/ca-bundle.trust.crt -destkeystore nifi/conf/truststore.jks You can also import specific CA certificates one at a time to limit the number of remote servers that NiFi trusts. ... View more