Hi James, Can it be that you are trying to start nifi with ssl without authentication ? Looks like that..
> On 27. Dec 2022, at 22:13, James McMahon <jsmcmah...@gmail.com> wrote: > > Hello. I am trying to start a secure instance of nifi version 1.16.3. I am > getting this error on start attempt: > > 2022-12-27 20:44:21,765 INFO [main] o.a.n.r.v.FileBasedVariableRegistry > Loaded a total of 90 properties. Including precedence overrides effective > accessible registry key size is 90 > 2022-12-27 20:44:21,972 WARN [main] o.a.nifi.security.util.SslContextFactory > Some keystore properties are populated > (/opt/nifi/config_resources/keys/server.jks, ********, ********, JKS) but not > valid > 2022-12-27 20:44:21,972 ERROR [main] o.apache.nifi.controller.FlowController > Unable to start the flow controller because the TLS configuration was > invalid: The keystore properties are not valid > 2022-12-27 20:44:22,009 ERROR [main] o.s.web.context.ContextLoader Context > initialization failed > org.springframework.beans.factory.BeanCreationException: Error creating bean > with name > 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': > Initialization of bean failed; nested exception is > org.springframework.beans.factory.UnsatisfiedDependencyException: Error > creating bean with name > 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency > expressed through method 'setJwtAuthenticationProvider' parameter 0; nested > exception is > org.springframework.beans.factory.UnsatisfiedDependencyException: Error > creating bean with name > 'org.apache.nifi.web.security.configuration.JwtAuthenticationSecurityConfiguration': > Unsatisfied dependency expressed through constructor parameter 3; nested > exception is org.springframework.beans.factory.BeanCreationException: Error > creating bean with name 'flowController': FactoryBean threw exception on > object creation; nested exception is java.lang.IllegalStateException: Flow > controller TLS configuration is invalid > > > > This is what my nifi.properties file looks like in this section: > > # security properties # > nifi.sensitive.props.key=A_KEY_HERE > nifi.sensitive.props.key.protected= > nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256 > nifi.sensitive.props.additional.keys= > > nifi.security.autoreload.enabled=false > nifi.security.autoreload.interval=10 secs > nifi.security.keystore=/opt/nifi/config_resources/keys/server.jks > nifi.security.keystoreType=JKS > nifi.security.keystorePasswd=b0gu5passw0r2! > nifi.security.keyPasswd=b0gu5passw0r2! > nifi.security.truststore=/opt/nifi/config_resources/keys/truststore.jks > nifi.security.truststoreType=JKS > nifi.security.truststorePasswd=Diff3r3ntBoguspwd# > nifi.security.user.authorizer=managed-authorizer > nifi.security.allow.anonymous.authentication=false > nifi.security.user.login.identity.provider= > nifi.security.user.jws.key.rotation.period= > nifi.security.ocsp.responder.url= > nifi.security.ocsp.responder.certificate= > > I have verified the password for my keystore at the command line (this works): > > sudo keytool -list -v -keystore server.jks > Enter keystore password: b0gu5passw0r2! > (....I see the result....) > > These JKS files were converted by me from a cacert.pem (to truststore.jks) > and a server.pfx (for server.jks) using keytool. The cacert.pem and the > server.pfx were created by me at TinyCert.org. > > I thought my keyPasswd should be the same as my keystorePasswd, but am I > wrong about that? Is it possible that the keyPasswd is the password or > passphrase I employed when I created the original server.pfx file? > > What is this error telling me, and how can I fix it? > > To summarize, this is how I got to where I am: > I created a cacert.pem, an admin.pfx, server.pfx, and client1.pfx using > TinyCert. > While in TinyCert.org I was in with a password and a passphrase. > I transferred those to my keys directory under my nifi install and used > keytool to create a truststore.jks, a server.jks, a client1.jks, and an > admin.jks keystore file. > Each jks has its own password. > I can look at the contents of my truststore,jks, my admin.jks, my server.jks, > and my client1.jks using keytool, with the password I provided to keytool for > admin at the time of conversion. > > Jim > > >