nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <alopre...@apache.org>
Subject Re: ElasticSearchClientServiceImpl not working for secured ElasticSearch
Date Thu, 17 Oct 2019 20:25:09 GMT
Hi Peter,

If you can use openssl’s s_client command (example below) to connect to the endpoint and
verify that the hostname matches the certificate and that the certificate contains a SubjectAlternativeName
entry with that hostname (see RFC 6125 [1] for more details), this should help you debug the
issue. The cause of the PKIX error is that the truststore doesn’t contain a certificate
(or certificate chain) which matches the hostname presented by the remote endpoint. I think
you understand that based on your message. The underlying reason for this is could be one
of the following:

* the server is behind an interface which responds differently to GET and POST/PUT requests
* there is a load-balancer which is directing the requests coincidentally to different backend
servers (one has the right cert; the other doesn’t)
* I recall something around the addition of (some) Elastic Search components which handled
TLS in an ES client-specific manner; I remember advocating for standard NiFi TLS interaction
here but I am not sure what was ultimately contributed. If it’s not one of the above issues,
I can investigate further. 

Hopefully this helps. 

[1] https://tools.ietf.org/html/rfc6125#section-6.4.4 <https://tools.ietf.org/html/rfc6125#section-6.4.4>

s_client example: 

$ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem>
-key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>

Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Oct 16, 2019, at 8:37 PM, Peter Moberg <peter.moberg@gmail.com> wrote:
> 
> I have an Elastic Search cluster that is setup with SSL. It uses a self-signed cert for
this. I am working with Apache Nifi 1.9.2. I have a flow that has the PutElasticSearchHttp
component. I have setup a SSLContextService for that component where I have specified a trust
store that has the self-signed cert from ES. I specify an https endpoint to access Elastic
Search and Im having no issues populating my Elastic Search instance using this flow.
> 
> I have another flow where I want to do some lookups. So I have been using the LookupRecord
processor. That one I have associated with an ElasticSearchClientServiceImpl which I have
setup to  point to the same SSLContextService as used above. I specified the same HTTPS Url
(triple checked this). However, when I run this second Flow I am not able to verify the ES
server's self-signed certificate.
> 
> I check the nifi-app.log and it says:
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
> 
> I am a bit surprised that I am not able to verify the same server certificate in the
two different flows.
> 
> Completely stuck on this so if anyone have any pointers please let me know.
> 
> Thanks,
> 
> Peter


Mime
View raw message