Support Questions

PepeVo · ‎01-05-2026

I have installed and started Nifi.sh, it started and failed in next few seconds.

nifi.properties

# We recommend configuring HTTPS instead. The administrators guide provides instructions on how to do this.
nifi.web.http.host=localhost
nifi.web.http.port=8080
nifi.web.http.network.interface.default=
#############################################
#nifi.web.https.host=localhost
#nifi.web.https.port=8443
nifi.web.https.network.interface.default=
nifi.web.https.application.protocols=h2 http/1.1
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200
nifi.web.max.header.size=16 KB
nifi.web.proxy.context.path=
nifi.web.proxy.host=
nifi.web.max.content.size=
nifi.web.max.requests.per.second=30000

error.log
2025-12-31 14:03:57,387 INFO [main] org.apache.nifi.bootstrap.Command Application Process [9606] started
2025-12-31 14:03:57,388 INFO [main] org.apache.nifi.bootstrap.Command Bootstrap Process Running
2025-12-31 14:04:57,392 INFO [StartBootstrapCommand] o.a.n.b.c.ApplicationProcessStatusBootstrapCommand Application Process not found
2025-12-31 14:04:57,392 WARN [StartBootstrapCommand] o.a.n.b.command.StartBootstrapCommand Application monitoring failed with status [STOPPED]
File Descriptors: 262144
2025-12-31 14:03:57,315 WARN [main] o.a.n.b.process.RuntimeValidatorExecutor Runtime Configuration [AvailableLocalPorts] validation failed: Local Ports [28231] less than recommended [55000] according to [/proc/sys/net/ipv4/ip_local_port_range]
2025-12-31 14:03:57,316 WARN [main] o.a.n.b.process.RuntimeValidatorExecutor Runtime Configuration [Swappiness] validation failed: Swappiness [30] more than recommended [0] according to [/proc/sys/vm/swappiness]
2025-12-31 14:03:57,316 WARN [main] o.a.n.b.process.RuntimeValidatorExecutor Runtime Configuration [SocketTimedWaitDuration] validation failed: TCP Socket Wait [120 seconds] more than recommended [1 seconds] according to [/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait]

nifi can't start with Java17 but Java21

Today after reconfigure the xml with username and password in login-identity-providers.xml

[root@c21adbvo000000n bin]# ./nifi.sh start

JAVA_HOME=/usr/lib/jvm/java-21-openjdk-21.0.9.0.10-1.0.1.el8.x86_64
NIFI_HOME=/opt/nifi-2.7.2

[root@c21adbvo000000n bin]# ps -ef|grep nifi
root 32194 1 0 15:53 pts/1 00:00:00 /bin/sh ./nifi.sh start
root 32196 32194 19 15:53 pts/1 00:00:01 /usr/lib/jvm/java-21-openjdk-21.0.9.0.10-1.0.1.el8.x86_64/bin/java -cp /opt/nifi-2.7.2/conf:/opt/nifi-2.7.2/lib/bootstrap/* -Xmx48m -Dlogback.statusListenerClass=ch.qos.logback.core.status.NopStatusListener -Dorg.apache.nifi.bootstrap.config.log.dir=/opt/nifi-2.7.2/logs -Dorg.apache.nifi.bootstrap.config.file=/opt/nifi-2.7.2/conf/bootstrap.conf org.apache.nifi.bootstrap.BootstrapProcess start
root 32220 32196 42 15:53 pts/1 00:00:02 /usr/lib/jvm/java-21-openjdk-21.0.9.0.10-1.0.1.el8.x86_64/bin/java --class-path /opt/nifi-2.7.2/lib/nifi-server-api-2.7.2.jar:/opt/nifi-2.7.2/lib/nifi-api-2.5.0.jar:/opt/nifi-2.7.2/lib/slf4j-api-2.0.17.jar:/opt/nifi-2.7.2/lib/logback-core-1.5.22.jar:/opt/nifi-2.7.2/lib/jul-to-slf4j-2.0.17.jar:/opt/nifi-2.7.2/lib/nifi-per-process-group-logging-2.7.2.jar:/opt/nifi-2.7.2/lib/nifi-property-utils-2.7.2.jar:/opt/nifi-2.7.2/lib/logback-classic-1.5.22.jar:/opt/nifi-2.7.2/lib/log4j-over-slf4j-2.0.17.jar:/opt/nifi-2.7.2/lib/nifi-properties-2.7.2.jar:/opt/nifi-2.7.2/lib/jcl-over-slf4j-2.0.17.jar:/opt/nifi-2.7.2/lib/nifi-nar-utils-2.7.2.jar:/opt/nifi-2.7.2/lib/nifi-stateless-api-2.7.2.jar:/opt/nifi-2.7.2/lib/nifi-framework-api-2.7.2.jar:/opt/nifi-2.7.2/lib/nifi-python-framework-api-2.7.2.jar:/opt/nifi-2.7.2/lib/nifi-runtime-2.7.2.jar:/opt/nifi-2.7.2/conf -Dorg.apache.nifi.bootstrap.config.log.dir=/opt/nifi-2.7.2/logs -Dnifi.properties.file.path=/opt/nifi-2.7.2/conf/nifi.properties -Dorg.apache.nifi.management.server.address=127.0.0.1:52020 -Xms1g -Xmx1g -Dsun.net.http.allowRestrictedHeaders=true -Djava.protocol.handler.pkgs=sun.net.www.protocol -Dcurator-log-only-first-connection-issue-as-error-level=true -Djava.awt.headless=true -Djavax.security.auth.useSubjectCredsOnly=true org.apache.nifi.NiFi
root 32249 30550 0 15:53 pts/1 00:00:00 grep --color=auto nifi

Nifi started and failed in the next seconds

[root@c21adbvo000000n bin]# ./nifi.sh start

JAVA_HOME=/usr/lib/jvm/java-21-openjdk-21.0.9.0.10-1.0.1.el8.x86_64
NIFI_HOME=/opt/nifi-2.7.2

[root@c21adbvo000000n bin]# ps -ef|grep nifi
root 32194 1 0 15:53 pts/1 00:00:00 /bin/sh ./nifi.sh start
root 32196 32194 19 15:53 pts/1 00:00:01 /usr/lib/jvm/java-21-openjdk-21.0.9.0.10-1.0.1.el8.x86_64/bin/java -cp /opt/nifi-2.7.2/conf:/opt/nifi-2.7.2/lib/bootstrap/* -Xmx48m -Dlogback.statusListenerClass=ch.qos.logback.core.status.NopStatusListener -Dorg.apache.nifi.bootstrap.config.log.dir=/opt/nifi-2.7.2/logs -Dorg.apache.nifi.bootstrap.config.file=/opt/nifi-2.7.2/conf/bootstrap.conf org.apache.nifi.bootstrap.BootstrapProcess start
root 32220 32196 42 15:53 pts/1 00:00:02 /usr/lib/jvm/java-21-openjdk-21.0.9.0.10-1.0.1.el8.x86_64/bin/java --class-path /opt/nifi-2.7.2/lib/nifi-server-api-2.7.2.jar:/opt/nifi-2.7.2/lib/nifi-api-2.5.0.jar:/opt/nifi-2.7.2/lib/slf4j-api-2.0.17.jar:/opt/nifi-2.7.2/lib/logback-core-1.5.22.jar:/opt/nifi-2.7.2/lib/jul-to-slf4j-2.0.17.jar:/opt/nifi-2.7.2/lib/nifi-per-process-group-logging-2.7.2.jar:/opt/nifi-2.7.2/lib/nifi-property-utils-2.7.2.jar:/opt/nifi-2.7.2/lib/logback-classic-1.5.22.jar:/opt/nifi-2.7.2/lib/log4j-over-slf4j-2.0.17.jar:/opt/nifi-2.7.2/lib/nifi-properties-2.7.2.jar:/opt/nifi-2.7.2/lib/jcl-over-slf4j-2.0.17.jar:/opt/nifi-2.7.2/lib/nifi-nar-utils-2.7.2.jar:/opt/nifi-2.7.2/lib/nifi-stateless-api-2.7.2.jar:/opt/nifi-2.7.2/lib/nifi-framework-api-2.7.2.jar:/opt/nifi-2.7.2/lib/nifi-python-framework-api-2.7.2.jar:/opt/nifi-2.7.2/lib/nifi-runtime-2.7.2.jar:/opt/nifi-2.7.2/conf -Dorg.apache.nifi.bootstrap.config.log.dir=/opt/nifi-2.7.2/logs -Dnifi.properties.file.path=/opt/nifi-2.7.2/conf/nifi.properties -Dorg.apache.nifi.management.server.address=127.0.0.1:52020 -Xms1g -Xmx1g -Dsun.net.http.allowRestrictedHeaders=true -Djava.protocol.handler.pkgs=sun.net.www.protocol -Dcurator-log-only-first-connection-issue-as-error-level=true -Djava.awt.headless=true -Djavax.security.auth.useSubjectCredsOnly=true org.apache.nifi.NiFi
root 32249 30550 0 15:53 pts/1 00:00:00 grep --color=auto nifi

nifi-app.log:Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowController' defined in class path resource [org/apache/nifi/framework/configuration/FlowControllerConfiguration.class]: Failed to instantiate [org.apache.nifi.controller.FlowController]: Factory method 'flowController' threw exception with message: Remote input HTTPS is enabled but nifi.web.https.port is not specified.
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)

I am using http port 8080 not https. Beside the nifi start and failed in 2 seconds, should I turn the https port?

Any pointers would be appreciated

BN

MattWho · ‎01-08-2026

@PepeVo

Look at the output from following java keytool command:

keytool -v -list -keystore <nifi-keystore.p12/jks

You'll want to verify the EKU, KeyUsage, and SubjectAlternativeName (SAN) fields in the output.

EKU must contain clientAuth and serverAuth
SAN must contain your server hostname and any other hostname your node may also be known as. One of these SAN names is what you must use in the browser URL.

Hostname verification in the TLS exchange between your browser and NiFi is done using the certificate SAN and not the Certificate DN.

You also can add the same IP address (127.0.0.1) to the /etc/hosts file multiple times. it will resolve to the first entry. If you want to assign additional names to 127.0.0.1, it needs to be done on same line. But SNI is not going to allow you to use 127.0.0.1 in the browser URL.

You should set the "nifi.web.https.host" property in the nifi.properties file to one of the SAN values from your keytstore and then use that name in your url to access the NiFi UI.

On NiFi startup, you can also tail the nifi-app.log looking for the line that looks like this:

... [main] org.apache.nifi.web.server.JettyServer Started Server on https://<hostname>:8443/nifi

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

PepeVo · ‎01-09-2026

Thank you for instruction and I don't see any EKU, KeyUsage, and SubjectAlternativeName (SAN) fields in the output.

in the nifi-app.log I do see " g.apache.nifi.web.server.JettyServer Started Server on https://localhost:8443/nifi "

but still can't start the ui by using the host ip address or hostname, I get the "secure connection failed", if I connect it using localhost/127.0.0.1 I still get "400 Invalid SNI" (I heard to commented that SNI is not going to allow you to use 127.0.0.1 in the browser URL, but I am trying to see if I get the same error)

When I set the ip address (not localhost) on nifi.web.https.hosts and connect it with error "the proxy server is refusing connections". Do I need to set the nifi.web.proxy.host to ipaddress too?

thank you for any helps.
BN

MattWho · ‎01-09-2026

@PepeVo

"When I set the ip address (not localhost) on nifi.web.https.hosts and connect it with error "the proxy server is refusing connections". Do I need to set the nifi.web.proxy.host to ipaddress too?"

This because the IP does not exist in a SAN in your certificate. The first step here is create a proper clientAuth certificate that includes the SAN entries and EKUs.

Apache NiFI out-of-the-box would have created a proper format keystore certificate.

The CN value in the certificate is typically the hostname of the server it is being used on. I've seen multiple different value snippets in what has been shared by you.

That hostname you are trying to use in the NiFi URL must exist as a SAN entry in the certificate. (This is not a NiFi specific requirement, this is enforced by the JDK)

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

PepeVo · ‎01-09-2026

I regenterate the keystore with the common server name. Nifi UI works but I thought I can find the username/password in the nifi-bootstrap.log

I found the username and password encrypted in login-identity-providers.xml

how can I decrypt them, or should I generate a new username/password and how?

thank you.

BN

Cloudera Community

Support Questions

Nifi 2.7.2 Start Problem