Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-4899

Unable to find valid certification path to requested target

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.5.0
    • Fix Version/s: None
    • Component/s: Core UI
    • Environment:
      NiFi Version 1.5.0
      Java 1.8.0_161-b12
      CentOS Linux release 7.4.1708

      Description

      In my clustered ssl environment, if I start the webgui the first time, enter my login credentials (verified via LDAP) and go ahead (click "LOG IN") I'm getting the error below:

      javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:284)
      at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:278)
      at org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:753)
      at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
      at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
      at org.glassfish.jersey.internal.Errors.process(Errors.java:229)
      at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:414)
      at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:752)
      at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:661)
      at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:875)
      at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
      at java.util.concurrent.FutureTask.run(Unknown Source)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
      at java.lang.Thread.run(Unknown Source)
      Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.ssl.Alerts.getSSLException(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
      at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
      at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
      at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
      at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
      at sun.security.ssl.Handshaker.processLoop(Unknown Source)
      at sun.security.ssl.Handshaker.process_record(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
      at java.net.HttpURLConnection.getResponseCode(Unknown Source)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
      at org.glassfish.jersey.client.internal.HttpUrlConnector._apply(HttpUrlConnector.java:390)
      at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:282)
      ... 14 common frames omitted
      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
      at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
      at sun.security.validator.Validator.validate(Unknown Source)
      at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
      at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
      at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
      ... 30 common frames omitted
      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
      at java.security.cert.CertPathBuilder.build(Unknown Source)
      ... 36 common frames omitted
      

      A site refresh solves the issue and I can see the canvas. After the first access, the issue is gone. I don't see it anymore until I restart NiFi.

      The certificate path of the cert should be fine, at least the browser (chrome) shows no problems in the address field.

       

        Attachments

        1. nifi_cert_issue.zip
          33 kB
          Josef Zahner
        2. Screen Shot 2018-02-21 at 11.08.13.png
          44 kB
          Josef Zahner

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jzahner Josef Zahner
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: