[ https://issues.apache.org/jira/browse/NIFI-11086?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17680891#comment-17680891 ]
Nathan Gough commented on NIFI-11086: ------------------------------------- I was able to verify the issue does occur, though I noted a different exception: {code:java} 2023-01-25 23:20:04,933 WARN [main] o.apache.nifi.registry.jetty.JettyServer Failed to start web server... shutting down. org.apache.nifi.security.ssl.BuilderConfigurationException: Key Manager initialization failed at org.apache.nifi.security.ssl.StandardSslContextBuilder.getKeyManagers(StandardSslContextBuilder.java:120) at org.apache.nifi.security.ssl.StandardSslContextBuilder.build(StandardSslContextBuilder.java:55) at org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.buildSslContext(ApplicationServerConnectorFactory.java:147) at org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.<init>(ApplicationServerConnectorFactory.java:74) at org.apache.nifi.registry.jetty.JettyServer.configureConnectors(JettyServer.java:150) at org.apache.nifi.registry.jetty.JettyServer.<init>(JettyServer.java:101) at org.apache.nifi.registry.NiFiRegistry.<init>(NiFiRegistry.java:114) at org.apache.nifi.registry.NiFiRegistry.main(NiFiRegistry.java:168) Caused by: java.security.UnrecoverableKeyException: Cannot recover key at java.base/sun.security.provider.KeyProtector.recover(KeyProtector.java:304) at java.base/sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:162) at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:91) at java.base/java.security.KeyStore.getKey(KeyStore.java:1050) at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:141) at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:64) at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:275) at org.apache.nifi.security.ssl.StandardSslContextBuilder.getKeyManagers(StandardSslContextBuilder.java:118) ... 7 common frames omitted 2023-01-25 23:20:04,933 INFO [Thread-0] org.apache.nifi.registry.NiFiRegistry Initiating shutdown of Jetty web server... 2023-01-25 23:20:04,933 INFO [Thread-0] org.apache.nifi.registry.NiFiRegistry Jetty web server shutdown completed (nicely or otherwise).{code} This is something we could fix directly for this one issue in the NiFi Registry Client, or maybe there's a way to make this common with NiFi. I note that similar 'getSslContext()' methods exist in other places eg the SiteToSiteClient. > NiFi Registry keystore passwd change > ------------------------------------ > > Key: NIFI-11086 > URL: https://issues.apache.org/jira/browse/NIFI-11086 > Project: Apache NiFi > Issue Type: Bug > Components: NiFi Registry > Affects Versions: 1.19.1 > Reporter: Anders > Priority: Minor > > After upgrading NiFi Registry from 1.17.0 to 1.19.1, it stopped working with > the following logged stacktrace: > {code:title=nifi-registry-app.log} > 2023-01-20 09:09:50,530 WARN [main] o.apache.nifi.registry.jetty.JettyServer > Failed to start web server... shutting down. > org.apache.nifi.security.ssl.BuilderConfigurationException: Key Manager > initialization failed > at > org.apache.nifi.security.ssl.StandardSslContextBuilder.getKeyManagers(StandardSslContextBuilder.java:120) > at > org.apache.nifi.security.ssl.StandardSslContextBuilder.build(StandardSslContextBuilder.java:55) > at > org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.buildSslContext(ApplicationServerConnectorFactory.java:147) > at > org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.<init>(ApplicationServerConnectorFactory.java:74) > at > org.apache.nifi.registry.jetty.JettyServer.configureConnectors(JettyServer.java:150) > at > org.apache.nifi.registry.jetty.JettyServer.<init>(JettyServer.java:101) > at org.apache.nifi.registry.NiFiRegistry.<init>(NiFiRegistry.java:114) > at org.apache.nifi.registry.NiFiRegistry.main(NiFiRegistry.java:168) > Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given > final block not properly padded. Such issues can arise if a bad key is used > during decryption. > at > java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:446) > at > java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90) > at java.base/java.security.KeyStore.getKey(KeyStore.java:1057) > at > java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145) > at > java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) > at > java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271) > at > org.apache.nifi.security.ssl.StandardSslContextBuilder.getKeyManagers(StandardSslContextBuilder.java:118) > ... 7 common frames omitted > Caused by: javax.crypto.BadPaddingException: Given final block not properly > padded. Such issues can arise if a bad key is used during decryption. > at > java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) > at > java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) > at > java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) > at > java.base/com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:408) > at > java.base/com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:440) > at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202) > at > java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:387) > at > java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:283) > at > java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:381) > ... 13 common frames omitted > {code} > The problem is that we had an empty value for > nifi.registry.security.keyPasswd in nifi-registry.properties: > {code:title=nifi-registry.properties} > nifi.registry.security.keystore=./ssl/foo1.p12 > nifi.registry.security.keystoreType=PKCS12 > nifi.registry.security.keystorePasswd=foobar > nifi.registry.security.keyPasswd= > {code} > Adding nifi.registry.security.keyPasswd (samme as keystorePasswd), the > application starts: > {code:title=nifi-registry.properties} > nifi.registry.security.keystore=./ssl/foo1.p12 > nifi.registry.security.keystoreType=PKCS12 > nifi.registry.security.keystorePasswd=foobar > nifi.registry.security.keyPasswd=foobar > {code} > See link to Slack thread below. > NiFi itself has no problem with _nifi.registry.security.keyPasswd_ being > empty, so there is a difference in behavior between the two applications. -- This message was sent by Atlassian Jira (v8.20.10#820010)