[
https://issues.apache.org/jira/browse/NIFI-7936?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17286223#comment-17286223
]
David Handermann commented on NIFI-7936:
----------------------------------------
Thanks for providing the additional details on the SSLContextService
configuration. For verification, it would be helpful to compare the X.509
certificate of the Elasticsearch server with the contents of the truststore
JKS. The following OpenSSL command should return the Elasticsearch server
certificate subject and issuer information, substituting the uppercase values
for the actual server host and port:
{{openssl s_client -host ELASTICSEARCH_HOST -port ELASTICSEARCH_PORT}}
The following command will list the contents of the truststore:
{{keytool -list -v -keystore
/opt/nifi/nifi-current/custom/certs/generic_truststore.jks}}
Unless there are multiple intermediate certificate authorities, the issuer of
the Elasticsearch server certificate should be listed as one of the subject
names of the certificates included in the truststore.
It is unclear why this would work in JDK 8 but not JDK 11, but comparing these
settings would rule out a possible mismatch of trusted certificate authorities.
> PutElasticsearchRecord is unable to write to elasticsearch over SSL when
> using nifi with JDK11
> -----------------------------------------------------------------------------------------------
>
> Key: NIFI-7936
> URL: https://issues.apache.org/jira/browse/NIFI-7936
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.11.4, 1.12.1
> Environment: Redhat Enterprise Linux 7.8
> JDK 11.0.1.10
> Reporter: Adam Turley
> Priority: Major
> Attachments: Screen Shot 2020-10-16 at 11.00.28 AM.png, Screen Shot
> 2021-02-17 at 3.11.41 PM.png
>
>
> When using nifi on jdk11 PutElasticsearchRecord has the error:
> "javax.net.ssl.SSLHandshakeException: Received fatal alert:
> certficate_unknown"
> when using nifi on jdk8 there is no issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
