0

I need your help (or advise) on below issue (in bold) I am getting during Nifi v1.16 Integration for my customer:

We are using java 11 and the TLS v1.2 with the 3PP we are trying to reach here:

2023-01-20 09:48:32,777|30014|0|b27a4669|Call REST Webservice|IHTTP|pre|a11a959f|Invoke HTTP|Filename: fec58a73-6fdc-4429-b807-uuuuuuu| CUST > XX> REST WS (3rd Party API) > 3PP Check account > Call 3rd party and save req and resp > Invoke HTTP | ISL-XX.CHECK_ACCOUNT.TA -URL: POST 'https://172.21.XX.DD:8012/provisioning/getaccountholderinfo' - Request: <ns2:getaccountholderinforequest xmlns:ns2="http://3pp.ext.bj/em/emm/provisioning/v1_1"> ID:22X57XXXX60/MSISDN </ns2:getaccountholderinforequest> 2023-01-20 09:48:32,815|30052|39|b27a4669|Call REST Webservice|IHTTP|Failure|a11a959f|Invoke HTTP|Filename: fec58a73-6fdc-4429-b807-uuuuuuuu| CUST > XX> REST WS (3rd Party API) > 3PP Check account > Call 3rd party and save req and resp > Invoke HTTP | ISL-XX.ECW_CHECK_ACCOUNT.TA - InvokeHttp Failed -Hostname 172.21.XX.DD not verified: certificate: sha256/ebhXnh4Mx6wp8Q9PsmzfnzifhfUUU/nP0sfDF1ig2s= DN: CN=3pp.ext.bj, L=COUN, ST=COUN, C=XX subjectAltNames: []: <ns2:getaccountholderinforequest xmlns:ns2="http://3pp.ext.bj/em/emm/provisioning/v1_1"> ID:22X57XXXX60/MSISDN </ns2:getaccountholderinforequest>

If anyone has an idea for me , I will actually appreciate.

Submitted new csr to customer to ensure we have a valid keystore with root and intermediate. We fixed /etc/hosts to match the 3PP ns with its ip We used cacerts from java as truststore Use keystore as truststore since we have trusted root and int certs inside

Set the JVM property -Dcom.sun.net.ssl.checkRevocation=false (Disable SSL certificate validation in Java)

Changed java version for nifi jdk 1.8 / 11.0.4 / 17 / 11.0.11 Updated our SAN extension in our certificate to match our hostname, IP, and Subject.

crisso98
  • 1
  • 1
  • best way - to call api not by ip address but by a hostname that matches your certificate. you can add hostname by modifying hosts file on machine where nifi is running... if you still need to call it by ip - you could add ip into SubjectAltNames field of signed certificate. – daggett Feb 02 '23 at 18:03
  • Thanks @daggett for your reply. I already tried with hostname but still same error. – crisso98 Feb 02 '23 at 18:40
  • it means that hostname not matching SAN (subjectAltNames) – daggett Feb 02 '23 at 18:57
  • So , no way to bypass this checking ? – crisso98 Feb 03 '23 at 12:32
  • Couple years ago I faced this problem and I wasn't able to bypass it. – daggett Feb 03 '23 at 13:24
  • Ok. So the only way to solve this problem is to update the SAN fields on the 3PP I'm applying to. – crisso98 Feb 03 '23 at 17:45

0 Answers0