Damn stupid of me ! I had to go in Java SSL code to understand that, due to PKCS12Keystore.java code, it seems like the private key password has to be the same than the keystore password, otherwise I get that funky error.
So next time, maybe i will learn this burning lesson :-/ Le 29/08/2019 à 10:30, Nicolas Delsaux a écrit :
Hi all I'm trying to secure my nifi registry. So i've created a keystore and a trustore, added to the keystore a private key entry, and configured my nifi-registry docker container to use that keystore/truststore. I can get the key pair in my keystore using keytool, both on my machine and in docker container. But when I start nifi-registry, I always get nifi-registry_1 | java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. nifi-registry_1 | at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:435) ~[na:1.8.0_212] nifi-registry_1 | at java.security.KeyStore.getKey(KeyStore.java:1023) ~[na:1.8.0_212] nifi-registry_1 | at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133) ~[na:1.8.0_212] nifi-registry_1 | at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) ~[na:1.8.0_212] nifi-registry_1 | at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) ~[na:1.8.0_212] nifi-registry_1 | at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1113) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:309) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:229) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:72) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:279) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.server.Server.doStart(Server.java:398) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.apache.nifi.registry.jetty.JettyServer.start(JettyServer.java:423) ~[nifi-registry-jetty-0.4.0.jar:0.4.0] nifi-registry_1 | at org.apache.nifi.registry.NiFiRegistry.<init>(NiFiRegistry.java:117) [nifi-registry-runtime-0.4.0.jar:0.4.0] nifi-registry_1 | at org.apache.nifi.registry.NiFiRegistry.main(NiFiRegistry.java:164) [nifi-registry-runtime-0.4.0.jar:0.4.0] nifi-registry_1 | Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. nifi-registry_1 | at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) ~[sunjce_provider.jar:1.8.0_212] nifi-registry_1 | at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) ~[sunjce_provider.jar:1.8.0_212] nifi-registry_1 | at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) ~[sunjce_provider.jar:1.8.0_212] nifi-registry_1 | at com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:405) ~[sunjce_provider.jar:1.8.0_212] nifi-registry_1 | at com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:437) ~[sunjce_provider.jar:1.8.0_212] nifi-registry_1 | at javax.crypto.Cipher.doFinal(Cipher.java:2164) ~[na:1.8.0_212] nifi-registry_1 | at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:371) ~[na:1.8.0_212] nifi-registry_1 | ... 23 common frames omitted What puzzles me is that I have successfully configured my nifi runner using exactly the same kind if configuration. Is there something I'm doing wrong ? How can i investigate that kind of problem ? Thanks
