You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@nifi.apache.org by "Andy LoPresto (JIRA)" <ji...@apache.org> on 2016/02/05 04:10:39 UTC

[jira] [Resolved] (NIFI-1479) Catch PKIX CertPathValidatorException and provide better error messaging

     [ https://issues.apache.org/jira/browse/NIFI-1479?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andy LoPresto resolved NIFI-1479.
---------------------------------
       Resolution: Fixed
    Fix Version/s: 0.5.0

This is resolved with PR 201, and new documentation is available in the Admin Guide. 

> Catch PKIX CertPathValidatorException and provide better error messaging
> ------------------------------------------------------------------------
>
>                 Key: NIFI-1479
>                 URL: https://issues.apache.org/jira/browse/NIFI-1479
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 0.5.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>              Labels: certificate, security, tls
>             Fix For: 0.5.0
>
>
> Users often encounter an exception when validating certificates which is poorly worded and confusing:
> {code}
> ./nifi-app.log:2016-01-06 08:06:38,637 ERROR [Timer-Driven Process Thread-6] o.a.nifi.processors.standard.InvokeHTTP InvokeHTTP[id=c75d8a02-3a6a-3c72-a086-ca0ace77fd62] Routing to Failure due to exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> {code}
> Due to phrases like "PKIX path building failed" and "unable to find valid certification path to requested target", users often believe this is a file path issue and that NiFi cannot locate the truststore. However, the issue is actually that no *certificate validation* "path" can be constructed -- i.e. NiFi cannot find a chain between the certificate being validated and any trusted CA certificate that has signed it (or intermediaries). 
> This exception should be caught and a more explicative error message should be displayed, with suggestions for how to resolve this issue (usually importing the custom CA certificate or self-signed certificate into the truststore). 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)