Hi Peter, If you can use openssl’s s_client command (example below) to connect to the endpoint and verify that the hostname matches the certificate and that the certificate contains a SubjectAlternativeName entry with that hostname (see RFC 6125 [1] for more details), this should help you debug the issue. The cause of the PKIX error is that the truststore doesn’t contain a certificate (or certificate chain) which matches the hostname presented by the remote endpoint. I think you understand that based on your message. The underlying reason for this is could be one of the following:
* the server is behind an interface which responds differently to GET and POST/PUT requests * there is a load-balancer which is directing the requests coincidentally to different backend servers (one has the right cert; the other doesn’t) * I recall something around the addition of (some) Elastic Search components which handled TLS in an ES client-specific manner; I remember advocating for standard NiFi TLS interaction here but I am not sure what was ultimately contributed. If it’s not one of the above issues, I can investigate further. Hopefully this helps. [1] https://tools.ietf.org/html/rfc6125#section-6.4.4 <https://tools.ietf.org/html/rfc6125#section-6.4.4> s_client example: $ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem> Andy LoPresto alopre...@apache.org alopresto.apa...@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Oct 16, 2019, at 8:37 PM, Peter Moberg <peter.mob...@gmail.com> wrote: > > I have an Elastic Search cluster that is setup with SSL. It uses a > self-signed cert for this. I am working with Apache Nifi 1.9.2. I have a flow > that has the PutElasticSearchHttp component. I have setup a SSLContextService > for that component where I have specified a trust store that has the > self-signed cert from ES. I specify an https endpoint to access Elastic > Search and Im having no issues populating my Elastic Search instance using > this flow. > > I have another flow where I want to do some lookups. So I have been using the > LookupRecord processor. That one I have associated with an > ElasticSearchClientServiceImpl which I have setup to point to the same > SSLContextService as used above. I specified the same HTTPS Url (triple > checked this). However, when I run this second Flow I am not able to verify > the ES server's self-signed certificate. > > I check the nifi-app.log and it says: > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > > I am a bit surprised that I am not able to verify the same server certificate > in the two different flows. > > Completely stuck on this so if anyone have any pointers please let me know. > > Thanks, > > Peter
