Invoke HTTP error : certification path to requested target - apache-nifi

I have a cluster managed with cloudera, I have installed CFM (Nifi) with the tutorial; also secured the nifi nodes with TLS/SSL.
When I tried the invokeHTTP processor, I have the following bulletin:
InvokeHTTP[id=3c2dea7a-0172-1000-0000-0000350072f1] Yielding processor due to exception encountered as a source processor: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I have tried with and without a secured cluster (with the help of Nifi CA toolkit service), without any success.
I also tried to create a controller service to force path of the trustore and keystore.
Now I am clueless on what to do, any ideas?
Thank you for your help,

#pdeuxa you need to configure the SSLContextService for the resource you are connecting to not the nifi cluster. You do this by adding the resource's SSL Certificates to a local nifi truststore, then tell NiFi where the truststore is. The files need to be properly owned for nifi and copied to all nifi nodes.

It works with SSLcontext configuration!
I copied the cacert from java jdk on each nifi nodes, and grant ownership to the cacert to nifi user.
On the SSL context configuration I added the path of the copied cacert for keystore and trustore (the defaut password for java cacert is "changeit").
Then I forced invokehttp "proxy type" property on "http"

Related

Failed to load URLs from https://example.com/auth/realms/REALM/.well-known/openid-configuration

I was using my spring-boot service with keycloak for login. Until yesterday I had a keycloak on localhost:8081, but today we have been given a new domain for Keycloak (https://example.com) instead of still using localhost:8081.
For this I had to update my 'etc/hosts' file with the new domain.
The problem is that I can't launch any request from my microservice. I have a controller, with many end-points, but I can't access any of them, I get the error:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
with this Warning:
Failed to load URLs from https://example.com/auth/realms/REALM/.well-known/openid-configuration
However, from Postman I can access this URL: https://example.com/auth/realms/REALM/.well-known/openid-configuration
In theory, I have my application.yaml well configured with the keycloak settings (I only had to change the auth path, where before it was localhost, is now my https://example.com)
keycloak.auth-server-url: https://example.com/auth/
keycloak.realm: MyREALM
keycloak.resource: login
keycloak.public-client: true
keycloak.credentials.secret: mysecret
I accessed my keycloak (with the new domain), I tried to export the certificate and with Keytools integrate it in the 'cacerts' file but I haven't been able to get it to work.
I've tried following these articles, but they don't solve my problem:
Keycloak: Failed to load URLs in Spring Boot Application
"PKIX path building failed" and "unable to find valid certification path to requested target"
Why is my microservice giving me this error?
2022-07-20 12:03:28.013 WARN 25996 --- [nio-8080-exec-4] o.keycloak.adapters.KeycloakDeployment : Failed to load URLs from https://example.com/auth/realms/MyREALM/.well-known/openid-configuration
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:na]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:370) ~[na:na]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:313) ~[na:na]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) ~[na:na]
I read many info about the certificates, download certificates of HTTPs web and add it to the cacerts file but it doesn't work for me.
The solution (temporally) was:
The problem with certificates was only in mi localhost, not in the development environment.
Then, in local, I opened a port-forward connection with Keycloak service, which throws the certificates-exception. It cans allowed me don't attack directly to the domain from Spring-Boot, avoiding the certificates error.
port-forward service/keycloak 8081:8080

GraalVM windows native-image installation Problem

I am trying to install native-image for my GraalVM in Windows environment. In cmd, I used the below command,
gu install native-image
But it shows this error,
Downloading: Release index file from oca.opensource.oracle.com
Error: Error reading component list: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
As the error states your environment from which gu is estabilishing a secure connection to the remote repository cannot verify the certification path of the repository. In other words your JVM does not trust oca.opensource.oracle.com.
The $JAVA_HOME/lib/security/cacerts file contains the collection of trusted CA used by JVM when running gu. Apparently this file in your JDK is missing the certificate chain of your repository.
Adding new trusted certificate
Download oca.opensource.oracle.com repository's root certificate.
Open $JAVA_HOME/lib/security/cacerts file in elevated mode with e.g. KeyStore Explorer or modify it with keytool. Default password is changeit.
Add new trusted CA from 1.
Save and close.
Useful sources
SSL and cert keystore
Difference Between a Java Keystore and a Truststore
In our organization the issue was in the man-in-the-middle SSL firewall product as mentioned by prunge.

AWS s3 access PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path

I have a https enabled Spring Boot service which does access the AWS S3. Now this service maintains its own custom truststore. So I have exported the following certificate from Java cacerts and added to its custom truststore.
Alias name: amazonrootca1 [jdk],amazonrootca2 [jdk],amazonrootca3 [jdk],amazonrootca4 [jdk], starfieldclass2ca [jdk], starfieldrootg2ca [jdk], starfieldservicesrootg2ca [jdk]
But still getting the following issue
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
How can I resolve this?

Spring Tool Suite can't connect to Update site using SSL (HTTPS)

When try to connect to update sites under help->Install New Software I get:
Unable to read repository at https://dl.google.com/eclipse/plugin/4.4/content.xml.
Unable to read repository at https://dl.google.com/eclipse/plugin/4.4/content.xml.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I have tried to import the certificate into the truststore as well as set it in the sts.ini file but to no avail.
Any help greatly appreciated!
I encountered a similar issue while trying to add templates to STS (3.6.2). The issue was my organization's usage of an SSL inspection tool that presents its certificate instead of the real one (GitHub.com).
The solution was to export the SSL inspection's certificate (using IE for example) and add it to the cacerts file. Use this article for the procedure.
Then update the sts.ini file and add the following lines:
-Djavax.net.ssl.trustStore=C:\Program Files\Java\jdk1.7.0_07\jre\lib\security\cacerts
-Djava.net.ssl.trustStorePassword=changeit
Finally - restart STS.

Xcode Application Loader - communications error

Attempting to upload a binary that has passed 'validation' I get:
Communications error. Please use diagnostic mode to check connectivity. You need to have outbound access to TCP port 443
An exception has occurred: sun.security.validator.Validator.Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Could not connect to Apple's web service
Unable to authenticate the package: 617269104.itms
Transport update failed with unexpected exception
An exception has occurred: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.ceertpath.SunCertPathBuilder\exception: unable to find valid certification path to requested target
I still have this problem despite trying all the suggestions in various similar SO threads. Running App Loader 2.9.1; Java version 7 build 1.7.0.; Yosemite beta 4; Xcode 5.1.1. Also tried all the settings in Java Control Panel General/Network Settings. All firewall ports open for outbound traffic.
Any new/further suggestions appreciated...

Resources