C2 - Confidential Dear Isha,
Thanks for your quick reply and sorry for my late one ;) This issue has finally been fixed, the root cause was that our internal proxy didn't know the remote url/site in its white list. After the remote url has been added to the proxy's white list, the problem just gone. Thanks Emmanuel De : Isha Lamboo <isha.lam...@virtualsciences.nl> Envoyé : lundi 6 mai 2024 08:51 À : users@nifi.apache.org Objet : RE: [SSL] Can't reach remote site, SSL error CAUTION: This message originated from an outside organization. In case of suspicion, click on "Report to SAFRAN Security" from the Outlook ribbon. ________________________________ Hi Emmanuel, It looks like the server certificate was signed with a CA certificate that doesn't have the right usage options set to act as a CA by signing certificates. Most likely this is a self-signed certificate, in which case both server and CA/certsign key usage options need to be specified but were not. A new certificate with the proper options will need to be created by them and imported by you. If it was signed by an internal company CA at the remote site that you added to your cacerts or nifi truststore, you will need to check the key usage options on that one, but it's unlikely they would have any working setup at their site with an invalid CA cert. Regards, Isha Van: QUEVILLON Emmanuel - EXT-SAFRAN ENGINEERING SERVICES (SAFRAN) <emmanuel.quevillon.e...@safrangroup.com<mailto:emmanuel.quevillon.e...@safrangroup.com>> Verzonden: vrijdag 3 mei 2024 17:32 Aan: users@nifi.apache.org<mailto:users@nifi.apache.org> Onderwerp: [SSL] Can't reach remote site, SSL error C2 - Confidential Hi guys, I'm facing an issue regarding running an InvokeHTTP processor which is responsible for getting data from a remote site. The SSL context is set to default JVM truststore (cacerts) as we usually add certificates from remote site to be trusted to the nifi truststore.jks However, with the new service we want to query, we're facing an error we've never seen before : CA key usage check failed: keyCertSign bit is not set [cid:image001.jpg@01DA9F9B.F165AA50] Even pointing the SSL Context to our nifi truststore does not work, error says it cannot find the path to certificate : unable to find valid certification path to requested target Can someone light my lantern please? I'm completely lost... Thanks in advance. Emmanuel # " Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés." ****** " This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system." # # " Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés." ****** " This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system." #