Apache NiFi with MongoDB over SSL

Question

I've faced the problem with SSL connection to MongoDB (SSLContextService processors).

all certificates I've generated (Root, Server and Client). Server and Client certificates I've signed with my root certificate. Since my MongoDB-Sever has more then one IP-Address, I've include all IP-Addresses in the server certificate.

MongoDB is also configured for ssl connections (tls), the old version of tls (1.1, 1.2) are not disabled in MongoDB.

SSL-Connection with mongo-shell works without problems. I've also checked everything with openssl s_client and connection was there and also worked properly.

For Apache NiFi I've created keystore (PKCS12)

openssl pkcs12 -export -name client -in client.crt -inkey client.key -certfile ca.crt -out client.p12

and also truststore with server certitiface

openssl pkcs12 -export -name server -in server.crt -inkey server.key -out server.p12

and I've also tried

openssl pkcs12 -export -name server -in server.crt -inkey server.key -certfile ca.crt -out server.p12

ca.crt is my root certificate. client.crt and server.crt were sigend with this ca.crt.

I've used both services in NiFi:

StandardSSLContextService and StandardRestrictedSSLContextService. In the parameter Keystore I've put client.p12 and in truststore parameter server.p12. Both types PKSC12. TLS protocoll just TLS.

But anyway I get an error "PKIX path building failed".

I'm not sure what I've missed, but may be someone had such problem already.

Thanks in advance.

P.S. forgotten: If I set in MongoDBControllerService parameter "Client Auth" to "NONE" then it works.

Answer 1

NiFi uses its own truststore which is either jks or pfx (p12) format, not concatenated pem files and not system files under /etc/pki/ca-trust/. As far as I can tell, you are not allowed to pass the tlsCAFile url parameter from a nifi processor which is confusing.

Answer 2

PKIX path building errors mean that NiFi cannot construct the trusted "path" between the certificate that is presented by the other endpoint (in this case MongoDB) and any of the certificates which are loaded in the respective truststore to identify trusted certificates.

If I am watching my niece tells me she's allowed to have all the candy she wants, I am not likely to agree. However, if she has a signed note from her parent confirming that, she gets candy. If she has a note signed by herself in crayon, not so much.

The likely solution is to concatenate the root public certificate and the node certificate into a single file (literally just cat server.pem ca.pem > combined_server.pem; make sure the node cert is first). That command assumes the certificate files are in PEM-encoded ASCII format (i.e. starts with -----BEGIN CERTIFICATE-----) and I prefer using .pem for the extension here, though .crt files can also contain this data. You can then verify that the chain is correct with

openssl verify -verbose -purpose sslserver -CAfile ca.pem combined_server.pem

For consistency, I'd repeat the process with the client cert and CA as well (use -purpose sslclient in the verification command). Then regenerate the PKCS12 keystore & truststore and load them into NiFi.

I am slightly confused by the fact that you say disabling client authentication in NiFi allows this to work, as NiFi should be acting as the client, and clients don't get to determine the client authentication level (the setting is literally ignored when acting as a client). It should only matter if NiFi is somehow acting as the server and MongoDB is the client. What version of NiFi and MongoDB are you using?