I encountered some issue with standardsslcontextservice truststore. In the nifi server, I did some verification:
1. Use curl with the server certificate to call the api. It is successful curl -vvv -X POST --cacert prodmyconnect.crt https://myconnect.mydomain.com/api/public/oauth2/login2 \ -H "Content-Type: application/json" \ -d '{"apikey":"CN3LUS9ZNq2z2ZLWdvnyAsxNlhIl2UkN", "apisecret":"Am5f51V4W8ExgSNzhNT6eILTgBrWZRxAne5qrUKIJ4YJkeOiVm1WGf92bm94K9fE"}' 2. Use the intermediate certificate to call the api. It is successful also. curl -vvv -X POST --cacert trustwave_intermediateca.pem https://myconnect.mydomain.com/api/public/oauth2/login2 \ -H "Content-Type: application/json" \ -d '{"apikey":"CN3LUS9ZNq2z2ZLWdvnyAsxNlhIl2UkN", "apisecret":"Am5f51V4W8ExgSNzhNT6eILTgBrWZRxAne5qrUKIJ4YJkeOiVm1WGf92bm94K9fE"}' 3. I import the server certificate prodmyconnect.crt to the truststore, it failed. And I also import the intermediate certificate, also failed. 4. I also tried to import the root certificate. And all kind of combination. All failed. 5. But on the same nifi server, I configure for the UAT environment https://uat.mydomain.com/api/public/oauth2/login2, just imported the server certificate, it works. The errors are: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:360) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:298) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1511) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:427) at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379) at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337) at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209) at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226) at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106) at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74) at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255) at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201) at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154) at org.apache.nifi.processors.standard.InvokeHTTP.onTrigger(InvokeHTTP.java:951) at org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27) at org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1361) at org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:247) at org.apache.nifi.controller.scheduling.AbstractTimeBasedSchedulingAgent.lambda$doScheduleOnce$0(AbstractTimeBasedSchedulingAgent.java:59) at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) at java.base/sun.security.validator.Validator.validate(Validator.java:264) at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341) ... 40 common frames omitted Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148) at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129) at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ... 46 common frames omitted 2024-06-12 09:31:20,011 INFO [Timer-Driven Process Thread-751] o.a.n.c.s.StandardProcessScheduler Stopping InvokeHTTP[id=018f1001-509b-171e-9a2b-56c06a34849b] 2024-06-12 09:31:20,011 INFO [Timer-Driven Process Thread-751] o.a.n.controller.StandardProcessorNode Stopping processor: InvokeHTTP[id=018f1001-509b-171e-9a2b-56c06a34849b] 2024-06-12 09:31:20,011 INFO [Timer-Driven Process Thread-778] o.a.n.c.s.TimerDrivenSchedulingAgent Stopped scheduling InvokeHTTP[id=018f1001-509b-171e-9a2b-56c06a34849b] to run 2024-06-12 09:31:20,011 INFO [Timer-Driven Process Thread-778] o.a.n.controller.StandardProcessorNode InvokeHTTP[id=018f1001-509b-171e-9a2b-56c06a34849b] has completely stopped. Completing any associated Futures. 2024-06-12 09:31:20,381 INFO [Flow Service Tasks Thread-1] o.a.n.p.FlowConfigurationArchiveManager Removing old archive file ./conf/archive/20240526T124028+0800_flow.json.gz to reduce storage usage. currentSize=523780756 2024-06-12 09:31:20,643 INFO [Flow Service Tasks Thread-1] o.a.n.p.FlowConfigurationArchiveManager Removing old archive file ./conf/archive/20240527T140256+0800_flow.xml.gz to reduce storage usage. currentSize=523472064 2024-06-12 09:31:20,646 INFO [Flow Service Tasks Thread-1] o.a.nifi.controller.StandardFlowService Saved flow controller org.apache.nifi.controller.FlowController@df69b13<mailto:org.apache.nifi.controller.FlowController@df69b13> // Another save pending = false 2024-06-12 09:31:36,774 INFO [pool-7-thread-1] o.a.n.c.r.WriteAheadFlowFileRepository Initiating checkpoint of FlowFile Repository 2024-06-12 09:31:39,050 INFO [pool-7-thread-1] o.a.n.wali.SequentialAccessWriteAheadLog Checkpointed Write-Ahead Log with 224680 Records and 153 Swap Files in 2276 milliseconds (Stop-the-world time = 53 milliseconds), max Transaction ID 847712304 2024-06-12 09:31:39,050 INFO [pool-7-thread-1] o.a.n.c.r.WriteAheadFlowFileRepository Successfully checkpointed FlowFile Repository with 224680 records in 2276 milliseconds 2024-06-12 09:31:51,792 INFO [Write-Ahead Local State Provider Maintenance] org.wali.MinimalLockingWriteAheadLog org.wali.MinimalLockingWriteAheadLog@4f63219e<mailto:org.wali.MinimalLockingWriteAheadLog@4f63219e> checkpointed with 620 Records and 0 Swap Files in 7 milliseconds (Stop-the-world time = 1 milliseconds, Clear Edit Logs time = 1 millis), max Transaction ID 17740857 2024-06-12 09:31:57,888 INFO [Cleanup Archive for default] o.a.n.c.repository.FileSystemRepository Successfully deleted 0 files (0 bytes) from archive 2024-06-12 09:31:57,888 INFO [Cleanup Archive for default] o.a.n.c.repository.FileSystemRepository Archive cleanup completed for container default; will now allow writing to this container. Bytes used = 238.26 GB, bytes free = 261.49 GB, capacity = 499.75 GB 2024-06-12 09:31:59,051 INFO [pool-7-thread-1] o.a.n.c.r.WriteAheadFlowFileRepository Initiating checkpoint of FlowFile Repository 2024-06-12 09:31:59,051 INFO [pool-7-thread-1] o.a.n.c.r.WriteAheadFlowFileRepository Successfully checkpointed FlowFile Repository with 224680 records in 0 milliseconds 2024-06-12 09:32:19,051 INFO [pool-7-thread-1] o.a.n.c.r.WriteAheadFlowFileRepository Initiating checkpoint of FlowFile Repository 2024-06-12 09:32:19,051 INFO [pool-7-thread-1] o.a.n.c.r.WriteAheadFlowFileRepository Successfully checkpointed FlowFile Repository with 224680 records in 0 milliseconds 2024-06-12 09:32:39,051 INFO [pool-7-thread-1] o.a.n.c.r.WriteAheadFlowFileRepository Initiating checkpoint of FlowFile Repository 2024-06-12 09:32:39,051 INFO [pool-7-thread-1] o.a.n.c.r.WriteAheadFlowFileRepository Successfully checkpointed FlowFile Repository with 224680 records in 0 milliseconds Regards Jiang Xu
