[jira] [Commented] (NIFI-4899) Unable to find valid certification path to requested target
[
https://issues.apache.org/jira/browse/NIFI-4899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16563890#comment-16563890
]
John Smith commented on NIFI-4899:
--
I also have the same problem. We use our own CA (Microsoft) and create a certs
manually. A refresh solves the problem
> Unable to find valid certification path to requested target
> ---
>
> Key: NIFI-4899
> URL: https://issues.apache.org/jira/browse/NIFI-4899
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
>Affects Versions: 1.5.0
> Environment: NiFi Version 1.5.0
> Java 1.8.0_161-b12
> CentOS Linux release 7.4.1708
>Reporter: Josef Zahner
>Priority: Minor
> Labels: certificate, login, ssl
> Attachments: Screen Shot 2018-02-21 at 11.08.13.png,
> nifi_cert_issue.zip
>
>
> In my clustered ssl environment, if I start the webgui the first time, enter
> my login credentials (verified via LDAP) and go ahead (click "LOG IN") I'm
> getting the error below:
> !Screen Shot 2018-02-21 at 11.08.13.png!
> {code:java}
> javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at
> org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:284)
> at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:278)
> at
> org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:753)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:229)
> at
> org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:414)
> at
> org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:752)
> at
> org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:661)
> at
> org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:875)
> at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> at java.util.concurrent.FutureTask.run(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> at java.lang.Thread.run(Unknown Source)
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
> at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
> at sun.security.ssl.Handshaker.processLoop(Unknown Source)
> at sun.security.ssl.Handshaker.process_record(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
> Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
> at java.net.HttpURLConnection.getResponseCode(Unknown Source)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown
> Source)
> at
> org.glassfish.jersey.client.internal.HttpUrlConnector._apply(HttpUrlConnector.java:390)
> at
> org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:282)
> ... 14 common frames omitted
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
> at
[jira] [Commented] (NIFI-4899) Unable to find valid certification path to requested target
[
https://issues.apache.org/jira/browse/NIFI-4899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16372700#comment-16372700
]
Josef Zahner commented on NIFI-4899:
The problem occurs only on a clustered setup. I've deployed the same ansible
template (just without enabling clustering) on a standalone NiFi and the
message doesn't appear anymore.
We have our own root CA within our company and I've created the
keystore/truststore based on that. However, I have the same issue as well with
the toolkit and self-signed certs.
I've added the related config files and certs for my test with nifi-toolkit in
a two node cluster environment. It's just lab, so doesn't matter.
> Unable to find valid certification path to requested target
> ---
>
> Key: NIFI-4899
> URL: https://issues.apache.org/jira/browse/NIFI-4899
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
>Affects Versions: 1.5.0
> Environment: NiFi Version 1.5.0
> Java 1.8.0_161-b12
> CentOS Linux release 7.4.1708
>Reporter: Josef Zahner
>Priority: Minor
> Labels: certificate, login, ssl
> Attachments: Screen Shot 2018-02-21 at 11.08.13.png,
> nifi_cert_issue.zip
>
>
> In my clustered ssl environment, if I start the webgui the first time, enter
> my login credentials (verified via LDAP) and go ahead (click "LOG IN") I'm
> getting the error below:
> !Screen Shot 2018-02-21 at 11.08.13.png!
> {code:java}
> javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at
> org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:284)
> at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:278)
> at
> org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:753)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:229)
> at
> org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:414)
> at
> org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:752)
> at
> org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:661)
> at
> org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:875)
> at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> at java.util.concurrent.FutureTask.run(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> at java.lang.Thread.run(Unknown Source)
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
> at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
> at sun.security.ssl.Handshaker.processLoop(Unknown Source)
> at sun.security.ssl.Handshaker.process_record(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
> Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
> at java.net.HttpURLConnection.getResponseCode(Unknown Source)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown
> Source)
> at
> org.glassfish.jersey.client.internal.HttpUrlConnector._apply(HttpUrlConnector.java:390)
> at
> org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:282)
> ... 14 common frames omitted
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed:
[jira] [Commented] (NIFI-4899) Unable to find valid certification path to requested target
[
https://issues.apache.org/jira/browse/NIFI-4899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16371966#comment-16371966
]
Pierre Villard commented on NIFI-4899:
--
This looks like as a truststore issue. Is it a cluster setup? How has SSL been
enabled on the cluster, manually or using the toolkit?
Nevertheless, it's kind of weird this is happening only once after a NiFi
restart... [~alopresto] may have an idea about it.
> Unable to find valid certification path to requested target
> ---
>
> Key: NIFI-4899
> URL: https://issues.apache.org/jira/browse/NIFI-4899
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
>Affects Versions: 1.5.0
> Environment: NiFi Version 1.5.0
> Java 1.8.0_161-b12
> CentOS Linux release 7.4.1708
>Reporter: Josef Zahner
>Priority: Minor
> Labels: certificate, login, ssl
> Attachments: Screen Shot 2018-02-21 at 11.08.13.png
>
>
> In my clustered ssl environment, if I start the webgui the first time, enter
> my login credentials (verified via LDAP) and go ahead (click "LOG IN") I'm
> getting the error below:
> !Screen Shot 2018-02-21 at 11.08.13.png!
> {code:java}
> javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at
> org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:284)
> at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:278)
> at
> org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:753)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:229)
> at
> org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:414)
> at
> org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:752)
> at
> org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:661)
> at
> org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:875)
> at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> at java.util.concurrent.FutureTask.run(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> at java.lang.Thread.run(Unknown Source)
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
> at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
> at sun.security.ssl.Handshaker.processLoop(Unknown Source)
> at sun.security.ssl.Handshaker.process_record(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
> Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
> at java.net.HttpURLConnection.getResponseCode(Unknown Source)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown
> Source)
> at
> org.glassfish.jersey.client.internal.HttpUrlConnector._apply(HttpUrlConnector.java:390)
> at
> org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:282)
> ... 14 common frames omitted
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at
