Hello. I am trying to start a secure instance of nifi version 1.16.3. I am getting this error on start attempt:
2022-12-27 20:44:21,765 INFO [main] o.a.n.r.v.FileBasedVariableRegistry Loaded a total of 90 properties. Including precedence overrides effective accessible registry key size is 90 2022-12-27 20:44:21,972 WARN [main] o.a.nifi.security.util.SslContextFactory Some keystore properties are populated (/opt/nifi/config_resources/keys/server.jks, ********, ********, JKS) but not valid 2022-12-27 20:44:21,972 ERROR [main] o.apache.nifi.controller.FlowController Unable to start the flow controller because the TLS configuration was invalid: The keystore properties are not valid 2022-12-27 20:44:22,009 ERROR [main] o.s.web.context.ContextLoader Context initialization failed org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Initialization of bean failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency expressed through method 'setJwtAuthenticationProvider' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.JwtAuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 3; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowController': FactoryBean threw exception on object creation; nested exception is java.lang.IllegalStateException: Flow controller TLS configuration is invalid This is what my nifi.properties file looks like in this section: # security properties # nifi.sensitive.props.key=A_KEY_HERE nifi.sensitive.props.key.protected= nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256 nifi.sensitive.props.additional.keys= nifi.security.autoreload.enabled=false nifi.security.autoreload.interval=10 secs nifi.security.keystore=/opt/nifi/config_resources/keys/server.jks nifi.security.keystoreType=JKS nifi.security.keystorePasswd=b0gu5passw0r2! nifi.security.keyPasswd=b0gu5passw0r2! nifi.security.truststore=/opt/nifi/config_resources/keys/truststore.jks nifi.security.truststoreType=JKS nifi.security.truststorePasswd=Diff3r3ntBoguspwd# nifi.security.user.authorizer=managed-authorizer nifi.security.allow.anonymous.authentication=false nifi.security.user.login.identity.provider= nifi.security.user.jws.key.rotation.period= nifi.security.ocsp.responder.url= nifi.security.ocsp.responder.certificate= I have verified the password for my keystore at the command line (this works): sudo keytool -list -v -keystore server.jks Enter keystore password: b0gu5passw0r2! (....I see the result....) These JKS files were converted by me from a cacert.pem (to truststore.jks) and a server.pfx (for server.jks) using keytool. The cacert.pem and the server.pfx were created by me at TinyCert.org. I thought my keyPasswd should be the same as my keystorePasswd, but am I wrong about that? Is it possible that the keyPasswd is the password or passphrase I employed when I created the original server.pfx file? What is this error telling me, and how can I fix it? To summarize, this is how I got to where I am: I created a cacert.pem, an admin.pfx, server.pfx, and client1.pfx using TinyCert. While in TinyCert.org I was in with a password and a passphrase. I transferred those to my keys directory under my nifi install and used keytool to create a truststore.jks, a server.jks, a client1.jks, and an admin.jks keystore file. Each jks has its own password. I can look at the contents of my truststore,jks, my admin.jks, my server.jks, and my client1.jks using keytool, with the password I provided to keytool for admin at the time of conversion. Jim
