nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <>
Subject Re: ElasticSearchClientServiceImpl not working for secured ElasticSearch
Date Thu, 17 Oct 2019 20:25:09 GMT
Hi Peter,

If you can use openssl’s s_client command (example below) to connect to the endpoint and
verify that the hostname matches the certificate and that the certificate contains a SubjectAlternativeName
entry with that hostname (see RFC 6125 [1] for more details), this should help you debug the
issue. The cause of the PKIX error is that the truststore doesn’t contain a certificate
(or certificate chain) which matches the hostname presented by the remote endpoint. I think
you understand that based on your message. The underlying reason for this is could be one
of the following:

* the server is behind an interface which responds differently to GET and POST/PUT requests
* there is a load-balancer which is directing the requests coincidentally to different backend
servers (one has the right cert; the other doesn’t)
* I recall something around the addition of (some) Elastic Search components which handled
TLS in an ES client-specific manner; I remember advocating for standard NiFi TLS interaction
here but I am not sure what was ultimately contributed. If it’s not one of the above issues,
I can investigate further. 

Hopefully this helps. 

[1] <>

s_client example: 

$ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem>
-key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>

Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Oct 16, 2019, at 8:37 PM, Peter Moberg <> wrote:
> I have an Elastic Search cluster that is setup with SSL. It uses a self-signed cert for
this. I am working with Apache Nifi 1.9.2. I have a flow that has the PutElasticSearchHttp
component. I have setup a SSLContextService for that component where I have specified a trust
store that has the self-signed cert from ES. I specify an https endpoint to access Elastic
Search and Im having no issues populating my Elastic Search instance using this flow.
> I have another flow where I want to do some lookups. So I have been using the LookupRecord
processor. That one I have associated with an ElasticSearchClientServiceImpl which I have
setup to  point to the same SSLContextService as used above. I specified the same HTTPS Url
(triple checked this). However, when I run this second Flow I am not able to verify the ES
server's self-signed certificate.
> I check the nifi-app.log and it says:
> Caused by: unable to find
valid certification path to requested target
> I am a bit surprised that I am not able to verify the same server certificate in the
two different flows.
> Completely stuck on this so if anyone have any pointers please let me know.
> Thanks,
> Peter

View raw message