[ https://issues.apache.org/jira/browse/NIFI-825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mark Payne updated NIFI-825: ---------------------------- Description: A user sent an email about InvokeHTTP failing after restart when configured to use an SSLContext Service, providing the following stacktrace: 2015-08-06 14:23:06,727 ERROR [Timer-Driven Process Thread-6] o.a.nifi.processors.standard.InvokeHTTP javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_45] at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) ~[na:1.8.0_45] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_45] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_45] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) ~[na:1.8.0_45] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) ~[na:1.8.0_45] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_45] at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[na:1.8.0_45] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) ~[na:1.8.0_45] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) ~[na:1.8.0_45] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) ~[na:1.8.0_45] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_45] at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) ~[na:1.8.0_45] at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[na:1.8.0_45] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) ~[na:1.8.0_45] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) ~[na:1.8.0_45] at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) ~[na:1.8.0_45] at org.apache.nifi.processors.standard.InvokeHTTP$Transaction.sendRequest(InvokeHTTP.java:434) ~[nifi-standard-processors-0.1.0-incubating.jar:0.1.0-incubating] at org.apache.nifi.processors.standard.InvokeHTTP$Transaction.process(InvokeHTTP.java:356) ~[nifi-standard-processors-0.1.0-incubating.jar:0.1.0-incubating] at org.apache.nifi.processors.standard.InvokeHTTP.onTrigger(InvokeHTTP.java:148) [nifi-standard-processors-0.1.0-incubating.jar:0.1.0-incubating] at org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27) [nifi-api-0.1.0-incubating.jar:0.1.0-incubating] at org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1077) [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating] at org.apache.nifi.controller.tasks.ContinuallyRunProcessorTask.call(ContinuallyRunProcessorTask.java:127) [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating] at org.apache.nifi.controller.tasks.ContinuallyRunProcessorTask.call(ContinuallyRunProcessorTask.java:49) [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating] at org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:119) [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_45] at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [na:1.8.0_45] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [na:1.8.0_45] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [na:1.8.0_45] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_45] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_45] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [na:1.8.0_45] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [na:1.8.0_45] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_45] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_45] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[na:1.8.0_45] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.8.0_45] at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_45] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_45] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[na:1.8.0_45] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_45] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) ~[na:1.8.0_45] ... 27 common frames omitted Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) ~[na:1.8.0_45] at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) ~[na:1.8.0_45] at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_45] at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[na:1.8.0_45] ... 33 common frames omitted I was able to duplicate this same failure but without even restarting NiFi, by issuing a GET request to https://localhost:8443/nifi-api/controller/status; nifi was configured to allow both secure and non-secure access. Secure access was configured by using the keystore and truststore in the test resources directory of the standard processors. The supplied patch ensure that we just use the SSLContext Service to obtain an SSLContext object for each iteration, leaving caching, if appropriate, up to the service. The patch also updates some of the comments and code styles to be more consistent with the rest of the codebase. was: A user sent an email about InvokeHTTP failing after restart when configured to use an SSLContext Service, providing the following stacktrace: 2015-08-06 14:23:06,727 ERROR [Timer-Driven Process Thread-6] o.a.nifi.processors.standard.InvokeHTTP javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_45] at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) ~[na:1.8.0_45] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_45] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_45] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) ~[na:1.8.0_45] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) ~[na:1.8.0_45] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_45] at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[na:1.8.0_45] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) ~[na:1.8.0_45] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) ~[na:1.8.0_45] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) ~[na:1.8.0_45] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_45] at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) ~[na:1.8.0_45] at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[na:1.8.0_45] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) ~[na:1.8.0_45] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) ~[na:1.8.0_45] at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) ~[na:1.8.0_45] at org.apache.nifi.processors.standard.InvokeHTTP$Transaction.sendRequest(InvokeHTTP.java:434) ~[nifi-standard-processors-0.1.0-incubating.jar:0.1.0-incubating] at org.apache.nifi.processors.standard.InvokeHTTP$Transaction.process(InvokeHTTP.java:356) ~[nifi-standard-processors-0.1.0-incubating.jar:0.1.0-incubating] at org.apache.nifi.processors.standard.InvokeHTTP.onTrigger(InvokeHTTP.java:148) [nifi-standard-processors-0.1.0-incubating.jar:0.1.0-incubating] at org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27) [nifi-api-0.1.0-incubating.jar:0.1.0-incubating] at org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1077) [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating] at org.apache.nifi.controller.tasks.ContinuallyRunProcessorTask.call(ContinuallyRunProcessorTask.java:127) [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating] at org.apache.nifi.controller.tasks.ContinuallyRunProcessorTask.call(ContinuallyRunProcessorTask.java:49) [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating] at org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:119) [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_45] at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [na:1.8.0_45] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [na:1.8.0_45] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [na:1.8.0_45] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_45] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_45] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [na:1.8.0_45] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [na:1.8.0_45] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_45] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_45] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[na:1.8.0_45] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.8.0_45] at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_45] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_45] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[na:1.8.0_45] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_45] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) ~[na:1.8.0_45] ... 27 common frames omitted Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) ~[na:1.8.0_45] at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) ~[na:1.8.0_45] at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_45] at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[na:1.8.0_45] ... 33 common frames omitted I was able to duplicate this same failure but without even restarting NiFi, by issuing a GET request to https://localhost:8443/nifi-api/controller/status The supplied patch ensure that we just use the SSLContext Service to obtain an SSLContext object for each iteration, leaving caching, if appropriate, up to the service. The patch also updates some of the comments and code styles to be more consistent with the rest of the codebase. > InvokeHTTP not handling SSL connections properly > ------------------------------------------------ > > Key: NIFI-825 > URL: https://issues.apache.org/jira/browse/NIFI-825 > Project: Apache NiFi > Issue Type: Bug > Components: Extensions > Reporter: Mark Payne > Assignee: Mark Payne > Priority: Critical > Fix For: 0.3.0 > > Attachments: > 0001-NIFI-825-Use-new-method-of-accessing-controller-serv.patch > > > A user sent an email about InvokeHTTP failing after restart when configured > to use an SSLContext Service, providing the following stacktrace: > 2015-08-06 14:23:06,727 ERROR [Timer-Driven Process Thread-6] > o.a.nifi.processors.standard.InvokeHTTP > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_45] > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) > ~[na:1.8.0_45] > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_45] > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_45] > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) > ~[na:1.8.0_45] > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) > ~[na:1.8.0_45] > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_45] > at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) > ~[na:1.8.0_45] > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) > ~[na:1.8.0_45] > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) > ~[na:1.8.0_45] > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) > ~[na:1.8.0_45] > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) > ~[na:1.8.0_45] > at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) > ~[na:1.8.0_45] > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > ~[na:1.8.0_45] > at > sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) > ~[na:1.8.0_45] > at > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) > ~[na:1.8.0_45] > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) > ~[na:1.8.0_45] > at > org.apache.nifi.processors.standard.InvokeHTTP$Transaction.sendRequest(InvokeHTTP.java:434) > ~[nifi-standard-processors-0.1.0-incubating.jar:0.1.0-incubating] > at > org.apache.nifi.processors.standard.InvokeHTTP$Transaction.process(InvokeHTTP.java:356) > ~[nifi-standard-processors-0.1.0-incubating.jar:0.1.0-incubating] > at > org.apache.nifi.processors.standard.InvokeHTTP.onTrigger(InvokeHTTP.java:148) > [nifi-standard-processors-0.1.0-incubating.jar:0.1.0-incubating] > at > org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27) > [nifi-api-0.1.0-incubating.jar:0.1.0-incubating] > at > org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1077) > [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating] > at > org.apache.nifi.controller.tasks.ContinuallyRunProcessorTask.call(ContinuallyRunProcessorTask.java:127) > [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating] > at > org.apache.nifi.controller.tasks.ContinuallyRunProcessorTask.call(ContinuallyRunProcessorTask.java:49) > [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating] > at > org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:119) > [nifi-framework-core-0.1.0-incubating.jar:0.1.0-incubating] > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > [na:1.8.0_45] > at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) > [na:1.8.0_45] > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) > [na:1.8.0_45] > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) > [na:1.8.0_45] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [na:1.8.0_45] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [na:1.8.0_45] > at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45] > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) > [na:1.8.0_45] > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) > [na:1.8.0_45] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [na:1.8.0_45] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [na:1.8.0_45] > at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45] > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) > ~[na:1.8.0_45] > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > ~[na:1.8.0_45] > at sun.security.validator.Validator.validate(Validator.java:260) > ~[na:1.8.0_45] > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > ~[na:1.8.0_45] > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > ~[na:1.8.0_45] > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > ~[na:1.8.0_45] > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) > ~[na:1.8.0_45] > ... 27 common frames omitted > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) > ~[na:1.8.0_45] > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) > ~[na:1.8.0_45] > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > ~[na:1.8.0_45] > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) > ~[na:1.8.0_45] > ... 33 common frames omitted > I was able to duplicate this same failure but without even restarting NiFi, > by issuing a GET request to > https://localhost:8443/nifi-api/controller/status; nifi was configured to > allow both secure and non-secure access. Secure access was configured by > using the keystore and truststore in the test resources directory of the > standard processors. > The supplied patch ensure that we just use the SSLContext Service to obtain > an SSLContext object for each iteration, leaving caching, if appropriate, up > to the service. The patch also updates some of the comments and code styles > to be more consistent with the rest of the codebase. -- This message was sent by Atlassian JIRA (v6.3.4#6332)