It also looks like you're using a deprecated controller service. The migration guide for 2.7.0 can be found here:
https://cwiki.apache.org/confluence/plugins/servlet/mobile?contentId=57905503#MigrationGuidance-Migratingto2.7.0 On Sun, Dec 14, 2025, 9:05 AM Eric Secules <[email protected]> wrote: > Hello Kay-Uwe > > Maybe it's this bug? https://issues.apache.org/jira/browse/NIFI-15340 > > It's listed as a known issue in the release notes. > > -Eric > > On Sun, Dec 14, 2025, 5:07 AM [email protected] <[email protected]> > wrote: > >> Dear NiFi Team, >> >> Did I overlook something when upgrading from 2.6.0 to 2.7.1 with regard >> to the keystore and truststore files? >> Of course, I completely customized nifi.properties (format, passwords, >> path, etc.). >> However, when I start 2.7.1, I get the following error: >> >> java.util.concurrent.ExecutionException: >> java.lang.IllegalStateException: Enabling >> StandardControllerServiceNode[service=SSLContextService[id=b3942123-018b-1000-3507-9ecf751f5bbc], >> >> name=StandardRestrictedSSLContextService, active=true] failed: >> Validation Status [INVALID] Errors ['Keystore Properties' is invalid >> because Invalid keystore password or type specified for file >> [/opt/nifi/current/conf/keystore.pkcs12]: keystore password was >> incorrect, 'Truststore Properties' is invalid because Invalid truststore >> password or type specified for file >> [/opt/nifi/current/conf/truststore.jks]: Keystore was tampered with, or >> password was incorrect] >> at >> >> java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:396) >> at >> >> java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2096) >> at >> >> org.apache.nifi.controller.service.StandardControllerServiceProvider.enableControllerServices(StandardControllerServiceProvider.java:261) >> at >> >> org.apache.nifi.controller.serialization.VersionedFlowSynchronizer.inheritControllerServices(VersionedFlowSynchronizer.java:1057) >> at >> >> org.apache.nifi.controller.serialization.VersionedFlowSynchronizer.synchronizeFlow(VersionedFlowSynchronizer.java:416) >> at >> >> org.apache.nifi.controller.serialization.VersionedFlowSynchronizer.sync(VersionedFlowSynchronizer.java:221) >> at >> >> org.apache.nifi.controller.FlowController.synchronize(FlowController.java:1817) >> at >> >> org.apache.nifi.persistence.StandardFlowConfigurationDAO.load(StandardFlowConfigurationDAO.java:91) >> at >> >> org.apache.nifi.controller.StandardFlowService.loadFromBytes(StandardFlowService.java:762) >> at >> >> org.apache.nifi.controller.StandardFlowService.load(StandardFlowService.java:483) >> at >> >> org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextInitialized(ApplicationStartupContextListener.java:67) >> at >> >> org.eclipse.jetty.ee11.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1609) >> at >> >> org.eclipse.jetty.ee11.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:498) >> at >> >> org.eclipse.jetty.ee11.servlet.ServletHandler.initialize(ServletHandler.java:676) >> at >> >> org.eclipse.jetty.ee11.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1343) >> ... >> >> at org.apache.nifi.NiFi.main(NiFi.java:42) >> Caused by: java.lang.IllegalStateException: Enabling >> StandardControllerServiceNode[service=SSLContextService[id=b3942123-018b-1000-3507-9ecf751f5bbc], >> >> name=StandardRestrictedSSLContextService, active=true] failed: >> Validation Status [INVALID] Errors ['Keystore Properties' is invalid >> because Invalid keystore password or type specified for file >> [/opt/nifi/current/conf/keystore.pkcs12]: keystore password was >> incorrect, 'Truststore Properties' is invalid because Invalid truststore >> password or type specified for file >> [/opt/nifi/current/conf/truststore.jks]: Keystore was tampered with, or >> password was incorrect] >> at >> >> org.apache.nifi.controller.service.StandardControllerServiceNode$2.run(StandardControllerServiceNode.java:659) >> at >> org.apache.nifi.engine.FlowEngine.lambda$wrap$1(FlowEngine.java:105) >> at >> >> java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572) >> at >> java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317) >> at >> >> java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) >> at >> >> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) >> at >> >> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) >> at java.base/java.lang.Thread.run(Thread.java:1583) >> >> >> 2025-12-14 13:53:02,962 ERROR [Timer-Driven Process Thread-2] >> o.a.n.s.StandardRestrictedSSLContextService >> SSLContextService[id=b3942123-018b-1000-3507-9ecf751f5bbc] Failed to >> invoke @OnEnabled method >> org.apache.nifi.reporting.InitializationException: >> SSLContextService[id=b3942123-018b-1000-3507-9ecf751f5bbc] is not valid >> due to: >> 'Keystore Properties' is invalid because Invalid keystore password or >> type specified for file [/opt/nifi/current/conf/keystore.pkcs12]: >> keystore password was incorrect >> 'Truststore Properties' is invalid because Invalid truststore password >> or type specified for file [/opt/nifi/current/conf/truststore.jks]: >> Keystore was tampered with, or password was incorrect >> at >> >> org.apache.nifi.ssl.StandardSSLContextService.onConfigured(StandardSSLContextService.java:175) >> at >> >> java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) >> at java.base/java.lang.reflect.Method.invoke(Method.java:580) >> at >> >> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:145) >> at >> >> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:133) >> at >> >> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:78) >> at >> >> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:55) >> at >> >> org.apache.nifi.controller.service.StandardControllerServiceNode$2.run(StandardControllerServiceNode.java:685) >> at >> org.apache.nifi.engine.FlowEngine.lambda$wrap$1(FlowEngine.java:105) >> at >> >> java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572) >> at >> java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317) >> at >> >> java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) >> at >> >> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) >> at >> >> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) >> at java.base/java.lang.Thread.run(Thread.java:1583) >> >> >> *I have set all properties exactly as I did with 2.6., which have the >> following format:* >> >> nifi.sensitive.props.key=XXXXXXXXXXXXXXXXXXXXXXXXXXX >> nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256 >> >> nifi.security.autoreload.enabled=false >> nifi.security.autoreload.interval=10 secs >> nifi.security.keystore=./conf/keystore.pkcs12 >> nifi.security.keystore.certificate= >> nifi.security.keystore.privateKey= >> nifi.security.keystoreType=PKCS12 >> nifi.security.keystorePasswd=XXXXXXXXXXXXXXXXXXXXXXXXXXX >> nifi.security.keyPasswd=XXXXXXXXXXXXXXXXXXXXXXXXXXX >> nifi.security.truststore=./conf/truststore.jks >> nifi.security.truststore.certificate= >> nifi.security.truststoreType=jks >> nifi.security.truststorePasswd=XXXXXXXXXXXXXXXXXXXXXXXXXXX >> >> >> This has worked with all upgrades so far. Has anything changed in 2.7.1? >> >> Regards, >> Kay-Uwe >> >
