The error I am currently getting from NiFi is this:

Caught: Received fatal alert: bad_certificate Received fatal alert: bad_certificate
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(
at org.apache.http.impl.client.DefaultRequestDirector.execute(
at org.apache.http.impl.client.AbstractHttpClient.doExecute(
at org.apache.http.impl.client.CloseableHttpClient.execute(
at org.apache.http.impl.client.CloseableHttpClient.execute(
at org.apache.http.impl.client.CloseableHttpClient.execute(
at$ Source)
at NiFiDeploy.loadProcessGroups(NiFiDeploy:346)
at NiFiDeploy.loadProcessGroups(NiFiDeploy)
at NiFiDeploy.handleGracefulShutdown(NiFiDeploy:87)

I am currently using the nifi node's truststore.jks to connect to it.



On Wed, Feb 21, 2018 at 2:10 PM, Sean Marciniak <> wrote:
Hi Joe,

I am trying to do in an automated fashion so using the UI doesn't help me in this case.
I already have a working groovy script that will upload these templates when NiFi is not secure but can not when it is.
I am trying to understand what is required in order to make this work for secure mode.

I am glad that the host header issue has been addressed in NiFi 1.6 as this will help us with securely deploying NiFi into Kubernetes.

I am not fully convinced that nifi registries are the way to go as they are an additional service that aims to replace other VCS such as git, svn. 
I am sure it has its purpose but it is not the correct fit for me.


On Wed, Feb 21, 2018 at 1:50 PM, Joe Witt <> wrote:

It is certainly possible and you could do this manually via the UI and your browser and use the browsers dev tools to learn more about the requests.  We have the REST API docs but those aren't always very helpful to understand the recipe of taking a series of actions.

With NiFi 1.5 host header we made it harder to configure in some cases which we've relaxed and will arrive in 1.6.0 but i'm not aware of it not allowing proper functions and of course it was a change made to address a security concern which since you're running in secure mode I'm guessing you'll find important.

With regard to the registry I will say that it was designed to be a far better answer to what templates could never do.  So what you'll work to learn more about now with templates and a workflow to get you closer the registry already does very well.  With 1.6.0 you'll also have access to a nice CLI to use between NiFi and Registry instances for versioned flows/flow management as well.


On Wed, Feb 21, 2018 at 8:42 AM, Jorge Machado <> wrote:
Hi Sean, 

Which error are u getting. It the API has the option for it It should work. 
may be this helps:

Jorge Machado

On 21 Feb 2018, at 13:40, Sean Marciniak <> wrote:

Hey Team,

We are currently trying to deploy flow templates to NiFi while its running in secure mode over https.
Do we know if this is possible?
Is there any documentation about doing this?

I am able to deploy the flow templates when it is running in non secure mode, but when we enforce secure mode, we are unable to do it.

We are currently stuck with using NiFiv1.4 due host header issues introduced in NiFi 1.5 and nifi registry is a unneeded risk we don't want to take.



Sean Marciniak

Are you ready for GDPR? GDPR: The Complete Guide for Recruiting Teams