[jira] [Commented] (NIFI-4899) Unable to find valid certification path to requested target
[ https://issues.apache.org/jira/browse/NIFI-4899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16563890#comment-16563890 ] John Smith commented on NIFI-4899: -- I also have the same problem. We use our own CA (Microsoft) and create a certs manually. A refresh solves the problem > Unable to find valid certification path to requested target > --- > > Key: NIFI-4899 > URL: https://issues.apache.org/jira/browse/NIFI-4899 > Project: Apache NiFi > Issue Type: Bug > Components: Core UI >Affects Versions: 1.5.0 > Environment: NiFi Version 1.5.0 > Java 1.8.0_161-b12 > CentOS Linux release 7.4.1708 >Reporter: Josef Zahner >Priority: Minor > Labels: certificate, login, ssl > Attachments: Screen Shot 2018-02-21 at 11.08.13.png, > nifi_cert_issue.zip > > > In my clustered ssl environment, if I start the webgui the first time, enter > my login credentials (verified via LDAP) and go ahead (click "LOG IN") I'm > getting the error below: > !Screen Shot 2018-02-21 at 11.08.13.png! > {code:java} > javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at > org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:284) > at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:278) > at > org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:753) > at org.glassfish.jersey.internal.Errors.process(Errors.java:316) > at org.glassfish.jersey.internal.Errors.process(Errors.java:298) > at org.glassfish.jersey.internal.Errors.process(Errors.java:229) > at > org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:414) > at > org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:752) > at > org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:661) > at > org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:875) > at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) > at java.util.concurrent.FutureTask.run(Unknown Source) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) > at java.lang.Thread.run(Unknown Source) > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Unknown Source) > at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) > at sun.security.ssl.Handshaker.fatalSE(Unknown Source) > at sun.security.ssl.Handshaker.fatalSE(Unknown Source) > at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) > at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) > at sun.security.ssl.Handshaker.processLoop(Unknown Source) > at sun.security.ssl.Handshaker.process_record(Unknown Source) > at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) > at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown > Source) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) > at java.net.HttpURLConnection.getResponseCode(Unknown Source) > at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown > Source) > at > org.glassfish.jersey.client.internal.HttpUrlConnector._apply(HttpUrlConnector.java:390) > at > org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:282) > ... 14 common frames omitted > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(Unknown Source) > at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) > at sun.security.validator.Validator.validate(Unknown Source) > at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) > at
[jira] [Commented] (NIFI-4899) Unable to find valid certification path to requested target
[ https://issues.apache.org/jira/browse/NIFI-4899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16372700#comment-16372700 ] Josef Zahner commented on NIFI-4899: The problem occurs only on a clustered setup. I've deployed the same ansible template (just without enabling clustering) on a standalone NiFi and the message doesn't appear anymore. We have our own root CA within our company and I've created the keystore/truststore based on that. However, I have the same issue as well with the toolkit and self-signed certs. I've added the related config files and certs for my test with nifi-toolkit in a two node cluster environment. It's just lab, so doesn't matter. > Unable to find valid certification path to requested target > --- > > Key: NIFI-4899 > URL: https://issues.apache.org/jira/browse/NIFI-4899 > Project: Apache NiFi > Issue Type: Bug > Components: Core UI >Affects Versions: 1.5.0 > Environment: NiFi Version 1.5.0 > Java 1.8.0_161-b12 > CentOS Linux release 7.4.1708 >Reporter: Josef Zahner >Priority: Minor > Labels: certificate, login, ssl > Attachments: Screen Shot 2018-02-21 at 11.08.13.png, > nifi_cert_issue.zip > > > In my clustered ssl environment, if I start the webgui the first time, enter > my login credentials (verified via LDAP) and go ahead (click "LOG IN") I'm > getting the error below: > !Screen Shot 2018-02-21 at 11.08.13.png! > {code:java} > javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at > org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:284) > at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:278) > at > org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:753) > at org.glassfish.jersey.internal.Errors.process(Errors.java:316) > at org.glassfish.jersey.internal.Errors.process(Errors.java:298) > at org.glassfish.jersey.internal.Errors.process(Errors.java:229) > at > org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:414) > at > org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:752) > at > org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:661) > at > org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:875) > at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) > at java.util.concurrent.FutureTask.run(Unknown Source) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) > at java.lang.Thread.run(Unknown Source) > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Unknown Source) > at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) > at sun.security.ssl.Handshaker.fatalSE(Unknown Source) > at sun.security.ssl.Handshaker.fatalSE(Unknown Source) > at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) > at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) > at sun.security.ssl.Handshaker.processLoop(Unknown Source) > at sun.security.ssl.Handshaker.process_record(Unknown Source) > at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) > at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown > Source) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) > at java.net.HttpURLConnection.getResponseCode(Unknown Source) > at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown > Source) > at > org.glassfish.jersey.client.internal.HttpUrlConnector._apply(HttpUrlConnector.java:390) > at > org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:282) > ... 14 common frames omitted > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed:
[jira] [Commented] (NIFI-4899) Unable to find valid certification path to requested target
[ https://issues.apache.org/jira/browse/NIFI-4899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16371966#comment-16371966 ] Pierre Villard commented on NIFI-4899: -- This looks like as a truststore issue. Is it a cluster setup? How has SSL been enabled on the cluster, manually or using the toolkit? Nevertheless, it's kind of weird this is happening only once after a NiFi restart... [~alopresto] may have an idea about it. > Unable to find valid certification path to requested target > --- > > Key: NIFI-4899 > URL: https://issues.apache.org/jira/browse/NIFI-4899 > Project: Apache NiFi > Issue Type: Bug > Components: Core UI >Affects Versions: 1.5.0 > Environment: NiFi Version 1.5.0 > Java 1.8.0_161-b12 > CentOS Linux release 7.4.1708 >Reporter: Josef Zahner >Priority: Minor > Labels: certificate, login, ssl > Attachments: Screen Shot 2018-02-21 at 11.08.13.png > > > In my clustered ssl environment, if I start the webgui the first time, enter > my login credentials (verified via LDAP) and go ahead (click "LOG IN") I'm > getting the error below: > !Screen Shot 2018-02-21 at 11.08.13.png! > {code:java} > javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at > org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:284) > at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:278) > at > org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:753) > at org.glassfish.jersey.internal.Errors.process(Errors.java:316) > at org.glassfish.jersey.internal.Errors.process(Errors.java:298) > at org.glassfish.jersey.internal.Errors.process(Errors.java:229) > at > org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:414) > at > org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:752) > at > org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:661) > at > org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:875) > at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) > at java.util.concurrent.FutureTask.run(Unknown Source) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) > at java.lang.Thread.run(Unknown Source) > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Unknown Source) > at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) > at sun.security.ssl.Handshaker.fatalSE(Unknown Source) > at sun.security.ssl.Handshaker.fatalSE(Unknown Source) > at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) > at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) > at sun.security.ssl.Handshaker.processLoop(Unknown Source) > at sun.security.ssl.Handshaker.process_record(Unknown Source) > at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) > at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown > Source) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) > at java.net.HttpURLConnection.getResponseCode(Unknown Source) > at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown > Source) > at > org.glassfish.jersey.client.internal.HttpUrlConnector._apply(HttpUrlConnector.java:390) > at > org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:282) > ... 14 common frames omitted > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(Unknown Source) > at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) > at