Hi Robert, It looks like you've run into this bug I reported: https://issues.apache.org/jira/browse/NIFI-14025
Setting up the SSL context fails if no keystore is configured. The workaround is to copy the truststore details into the keystore configuration fields as well. It doesn't have to contain a valid server certificate and key, it only needs to be a valid keystore file for NiFi to load. The fix will most likely be in 2.1.0 Regards, Isha -----Oorspronkelijk bericht----- Van: Robert Cohen <robert.co...@anu.edu.au.INVALID> Verzonden: dinsdag 3 december 2024 05:10 Aan: dev@nifi.apache.org Onderwerp: LDAP ssl issue in nifi 2.0.0 [You don't often get email from robert.co...@anu.edu.au.invalid. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Im trying to bring up a nifi-2.0.0 instance using LDAP auth. Using config that works for nifi 1.28.1 Im getting errors for the SSL communication to the LDAP server. The root of the problem is Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target I'll attach more detailed logs. But as far as I can tell, it simply isnt using the ldap truststore provided in login-identity-providers.xml. I might try combining things into one truststore rather than using a separate truststore for the ldap cacert. Ive tried to debug the problem with setting "-Djavax.net.debug=ssl,trustmanager" It shows the server loading the main truststore specified in nifi.properties. But nothing about the ldap truststrore. But that might be because authentication module isnt using the standard routines that javax.net.debug effect. I tried comparing it to the logs I get from a nifi 1.28.1 instance. But that doesnt log anything at all. So must be using different code. -- Robert Cohen
