StandardSSLContextService error

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

StandardSSLContextService error

Nabegh
I'm trying to configure PostHTTP processor with StandardSSLContextService. I copied
localhost-ks.jks
localhost-ts.jks
from nifi github repo and passed their location to the StandardSSLContextService but it is not accepting it. It is giving me the following error

'Keystore filename' validated against '/Path/to/localhost-ks.jks' is invalid because file /Path/to/localhost-ks.jks does not exist or cannot be read.
Reply | Threaded
Open this post in threaded view
|

Re: StandardSSLContextService error

Jeff
Nabegh,

Under what user is NiFi running?  Does that user have read access for the
keystore and truststore?

On Fri, Jul 22, 2016 at 3:11 PM Nabegh <[hidden email]> wrote:

> I'm trying to configure PostHTTP processor with StandardSSLContextService.
> I
> copied
> localhost-ks.jks
> localhost-ts.jks
> from nifi github repo and passed their location to the
> StandardSSLContextService but it is not accepting it. It is giving me the
> following error
>
> 'Keystore filename' validated against '/Path/to/localhost-ks.jks' is
> invalid
> because file /Path/to/localhost-ks.jks does not exist or cannot be read.
>
>
>
> --
> View this message in context:
> http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887.html
> Sent from the Apache NiFi Developer List mailing list archive at
> Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: StandardSSLContextService error

Nabegh
Hi Jeff,

Under the same user who is the owner of the keystore and truststore.
Yes. All are running under the same user.

Reply | Threaded
Open this post in threaded view
|

Re: StandardSSLContextService error

Jeff
Hello Nabegh,

Can you supply the logs that include the error you referenced in your
previous email?  Can you also include a directory listing that includes the
file permissions, please?

On Mon, Jul 25, 2016 at 12:31 PM Nabegh <[hidden email]> wrote:

> Hi Jeff,
>
> Under the same user who is the owner of the keystore and truststore.
> Yes. All are running under the same user.
>
>
>
>
>
> --
> View this message in context:
> http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12893.html
> Sent from the Apache NiFi Developer List mailing list archive at
> Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: StandardSSLContextService error

Nabegh
nabegh-mac:~ nabegh$ pwd
/Users/nabegh
nabegh-mac:~ nabegh$ ls -l | grep jks
-rwxrwxrwx@  1 nabegh  staff     3512 22 Jul 10:30 localhost-ks.jks
-rwxrwxrwx@  1 nabegh  staff     1816 22 Jul 10:30 localhost-ts.jks
nabegh-mac:~ nabegh$

I don't see the error in the logs. I see a warning (yellow triangle) in the Controller Services screen. When I hover the mouse I see the previous message in the tooltip.

Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: StandardSSLContextService error

Andy LoPresto-2
Nabegh,

Can you ensure that the controller service has the actual path to the keystore and truststore populated? According to the popup, it has the value “/Path/to/localhost-ks.jks” when it should actually be “/Users/nabegh/localhost-ks.jks”. Repeat for the truststore. 

Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jul 27, 2016, at 11:41 AM, Nabegh <[hidden email]> wrote:

nabegh-mac:~ nabegh$ pwd
/Users/nabegh
nabegh-mac:~ nabegh$ ls -l | grep jks
-rwxrwxrwx@  1 nabegh  staff     3512 22 Jul 10:30 localhost-ks.jks
-rwxrwxrwx@  1 nabegh  staff     1816 22 Jul 10:30 localhost-ts.jks
nabegh-mac:~ nabegh$

I don't see the error in the logs. I see a warning (yellow triangle) in the
Controller Services screen. When I hover the mouse I see the previous
message in the tooltip.

Thanks.




--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12902.html
Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.


signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: StandardSSLContextService error

Nabegh
Andy,

This is the case. /Path/to was just a placeholder.



On Wednesday, 27 July 2016, Andy LoPresto-2 [via Apache NiFi Developer List] <[hidden email]> wrote:
Nabegh,

Can you ensure that the controller service has the actual path to the keystore and truststore populated? According to the popup, it has the value “/Path/to/localhost-ks.jks” when it should actually be “/Users/nabegh/localhost-ks.jks”. Repeat for the truststore. 

Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jul 27, 2016, at 11:41 AM, Nabegh <[hidden email]> wrote:

nabegh-mac:~ nabegh$ pwd
/Users/nabegh
nabegh-mac:~ nabegh$ ls -l | grep jks
-rwxrwxrwx@  1 nabegh  staff     3512 22 Jul 10:30 localhost-ks.jks
-rwxrwxrwx@  1 nabegh  staff     1816 22 Jul 10:30 localhost-ts.jks
nabegh-mac:~ nabegh$

I don't see the error in the logs. I see a warning (yellow triangle) in the
Controller Services screen. When I hover the mouse I see the previous
message in the tooltip.

Thanks.




--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12902.html
Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.


signature.asc (859 bytes) Download Attachment



If you reply to this email, your message will be added to the discussion below:
http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12903.html
To unsubscribe from StandardSSLContextService error, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: StandardSSLContextService error

Andy LoPresto-2
Nabegh,

Can you please try using an InvokeHTTP processor to perform the same action? This may not solve the specific issue with the current processor, but InvokeHTTP is a newer processor and may handle the StandardSSLContextService values differently. 

You are using the absolute path, and not a relative path, correct? If the password or type was incorrect and NiFi simply could not validate the data in the keystore, it would be a different error message. This really indicates that NiFi cannot find or open the file you’re referencing. 

Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jul 27, 2016, at 2:22 PM, Nabegh <[hidden email]> wrote:

Andy,

This is the case. /Path/to was just a placeholder.



On Wednesday, 27 July 2016, Andy LoPresto-2 [via Apache NiFi Developer
List] <[hidden email]> wrote:

Nabegh,

Can you ensure that the controller service has the actual path to the
keystore and truststore populated? According to the popup, it has the value
“/Path/to/localhost-ks.jks” when it should actually be
“/Users/nabegh/localhost-ks.jks”. Repeat for the truststore.

Andy LoPresto
[hidden email] <http:///user/SendEmail.jtp?type=node&node=12903&i=0>
*[hidden email] <http:///user/SendEmail.jtp?type=node&node=12903&i=1>*
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jul 27, 2016, at 11:41 AM, Nabegh <[hidden email]
<http:///user/SendEmail.jtp?type=node&node=12903&i=2>> wrote:

nabegh-mac:~ nabegh$ pwd
/Users/nabegh
nabegh-mac:~ nabegh$ ls -l | grep jks
-rwxrwxrwx@  1 nabegh  staff     3512 22 Jul 10:30 localhost-ks.jks
-rwxrwxrwx@  1 nabegh  staff     1816 22 Jul 10:30 localhost-ts.jks
nabegh-mac:~ nabegh$

I don't see the error in the logs. I see a warning (yellow triangle) in the
Controller Services screen. When I hover the mouse I see the previous
message in the tooltip.

Thanks.




--
View this message in context:
http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12902.html
Sent from the Apache NiFi Developer List mailing list archive at
Nabble.com <http://nabble.com>.



*signature.asc* (859 bytes) Download Attachment
<http://apache-nifi-developer-list.39713.n7.nabble.com/attachment/12903/0/signature.asc>


------------------------------
If you reply to this email, your message will be added to the discussion
below:

http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12903.html
To unsubscribe from StandardSSLContextService error, click here
< class="">.
NAML
<
http://apache-nifi-developer-list.39713.n7.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>





--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12904.html
Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.


signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: StandardSSLContextService error

Nabegh
Hi Andy,

Yes I am using the absolute path. 
Tried InvokeHTTP and it works fine without even requiring the StandardSSLContextService to be configured.

Thanks.



On Wednesday, 27 July 2016, Andy LoPresto-2 [via Apache NiFi Developer List] <[hidden email]> wrote:
Nabegh,

Can you please try using an InvokeHTTP processor to perform the same action? This may not solve the specific issue with the current processor, but InvokeHTTP is a newer processor and may handle the StandardSSLContextService values differently. 

You are using the absolute path, and not a relative path, correct? If the password or type was incorrect and NiFi simply could not validate the data in the keystore, it would be a different error message. This really indicates that NiFi cannot find or open the file you’re referencing. 

Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jul 27, 2016, at 2:22 PM, Nabegh <[hidden email]> wrote:

Andy,

This is the case. /Path/to was just a placeholder.



On Wednesday, 27 July 2016, Andy LoPresto-2 [via Apache NiFi Developer
List] <[hidden email]> wrote:

Nabegh,

Can you ensure that the controller service has the actual path to the
keystore and truststore populated? According to the popup, it has the value
“/Path/to/localhost-ks.jks” when it should actually be
“/Users/nabegh/localhost-ks.jks”. Repeat for the truststore.

Andy LoPresto
[hidden email] <http:///user/SendEmail.jtp?type=node&node=12903&i=0>
*[hidden email] <http:///user/SendEmail.jtp?type=node&node=12903&i=1>*
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jul 27, 2016, at 11:41 AM, Nabegh <[hidden email]
<http:///user/SendEmail.jtp?type=node&node=12903&i=2>> wrote:

nabegh-mac:~ nabegh$ pwd
/Users/nabegh
nabegh-mac:~ nabegh$ ls -l | grep jks
-rwxrwxrwx@  1 nabegh  staff     3512 22 Jul 10:30 localhost-ks.jks
-rwxrwxrwx@  1 nabegh  staff     1816 22 Jul 10:30 localhost-ts.jks
nabegh-mac:~ nabegh$

I don't see the error in the logs. I see a warning (yellow triangle) in the
Controller Services screen. When I hover the mouse I see the previous
message in the tooltip.

Thanks.




--
View this message in context:
http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12902.html
Sent from the Apache NiFi Developer List mailing list archive at
Nabble.com <http://nabble.com>.



*signature.asc* (859 bytes) Download Attachment
<http://apache-nifi-developer-list.39713.n7.nabble.com/attachment/12903/0/signature.asc>


------------------------------
If you reply to this email, your message will be added to the discussion
below:

http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12903.html
To unsubscribe from StandardSSLContextService error, click here
< class="">.
NAML
<
http://apache-nifi-developer-list.39713.n7.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>





--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12904.html
Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.


signature.asc (859 bytes) Download Attachment



If you reply to this email, your message will be added to the discussion below:
http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12905.html
To unsubscribe from StandardSSLContextService error, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: StandardSSLContextService error

Andy LoPresto-2
If it works without the SSLContextService configured, it is likely making a plaintext HTTP connection. Did you try the PostHTTP without the SSLContextService?

Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jul 28, 2016, at 3:49 AM, Nabegh <[hidden email]> wrote:

Hi Andy,

Yes I am using the absolute path.
Tried InvokeHTTP and it works fine without even requiring the
StandardSSLContextService to be configured.

Thanks.



On Wednesday, 27 July 2016, Andy LoPresto-2 [via Apache NiFi Developer
List] <[hidden email]> wrote:

Nabegh,

Can you please try using an InvokeHTTP processor to perform the same
action? This may not solve the specific issue with the current processor,
but InvokeHTTP is a newer processor and may handle the
StandardSSLContextService values differently.

You are using the absolute path, and not a relative path, correct? If the
password or type was incorrect and NiFi simply could not validate the data
in the keystore, it would be a different error message. This really
indicates that NiFi cannot find or open the file you’re referencing.

Andy LoPresto
[hidden email] <http:///user/SendEmail.jtp?type=node&node=12905&i=0>
*[hidden email] <http:///user/SendEmail.jtp?type=node&node=12905&i=1>*
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jul 27, 2016, at 2:22 PM, Nabegh <[hidden email]
<http:///user/SendEmail.jtp?type=node&node=12905&i=2>> wrote:

Andy,

This is the case. /Path/to was just a placeholder.



On Wednesday, 27 July 2016, Andy LoPresto-2 [via Apache NiFi Developer
List] <[hidden email]
<http:///user/SendEmail.jtp?type=node&node=12905&i=3>> wrote:

Nabegh,

Can you ensure that the controller service has the actual path to the
keystore and truststore populated? According to the popup, it has the value
“/Path/to/localhost-ks.jks” when it should actually be
“/Users/nabegh/localhost-ks.jks”. Repeat for the truststore.

Andy LoPresto
[hidden email] <http:///user/SendEmail.jtp?type=node&node=12903&i=0
<http://user/SendEmail.jtp?type=node&node=12903&i=0>>
*[hidden email] <http:///user/SendEmail.jtp?type=node&node=12903&i=1
<http://user/SendEmail.jtp?type=node&node=12903&i=1>>*
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jul 27, 2016, at 11:41 AM, Nabegh <[hidden email]
<http:///user/SendEmail.jtp?type=node&node=12903&i=2
<http://user/SendEmail.jtp?type=node&node=12903&i=2>>> wrote:

nabegh-mac:~ nabegh$ pwd
/Users/nabegh
nabegh-mac:~ nabegh$ ls -l | grep jks
-rwxrwxrwx@  1 nabegh  staff     3512 22 Jul 10:30 localhost-ks.jks
-rwxrwxrwx@  1 nabegh  staff     1816 22 Jul 10:30 localhost-ts.jks
nabegh-mac:~ nabegh$

I don't see the error in the logs. I see a warning (yellow triangle) in the
Controller Services screen. When I hover the mouse I see the previous
message in the tooltip.

Thanks.




--
View this message in context:

http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12902.html
Sent from the Apache NiFi Developer List mailing list archive at
Nabble.com <http://nabble.com/> <http://nabble.com>.



*signature.asc* (859 bytes) Download Attachment
<
http://apache-nifi-developer-list.39713.n7.nabble.com/attachment/12903/0/signature.asc



------------------------------
If you reply to this email, your message will be added to the discussion
below:


http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12903.html
To unsubscribe from StandardSSLContextService error, click here
< class="">.
NAML
<
http://apache-nifi-developer-list.39713.n7.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml






--
View this message in context:
http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12904.html
Sent from the Apache NiFi Developer List mailing list archive at
Nabble.com <http://nabble.com/>.



*signature.asc* (859 bytes) Download Attachment
<http://apache-nifi-developer-list.39713.n7.nabble.com/attachment/12905/0/signature.asc>


------------------------------
If you reply to this email, your message will be added to the discussion
below:

http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12905.html
To unsubscribe from StandardSSLContextService error, click here
< class="">.
NAML
<
http://apache-nifi-developer-list.39713.n7.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>





--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12906.html
Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.


signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: StandardSSLContextService error

Nabegh
PostHTTP does not allow https calls without the SSLContextService, but are you sure about the plain HTTP connection?
Reply | Threaded
Open this post in threaded view
|

Re: StandardSSLContextService error

Andy LoPresto-2
I have not looked at the source recently, but unless it is using the underlying Jersey code to delegate hostname and certificate trust to the default JRE cacerts truststore, the lack of SSLContextService means no truststore with which to accept server certificates, so the connection would be over HTTP, or (doubtful but possibly) unverified HTTPS. 

 
Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jul 28, 2016, at 10:11 AM, Nabegh <[hidden email]> wrote:

PostHTTP does not allow https calls without the SSLContextService, but are
you sure about the plain HTTP connection?




--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/StandardSSLContextService-error-tp12887p12908.html
Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.


signature.asc (859 bytes) Download Attachment