Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Why won't HandleHTTPRequest bind to a secure (SSL) port?

Labels:
avatar
author-rank jrittenh
Explorer

Created ‎06-09-2017 10:00 PM

I have HandleHTTPRequest running without encryption on port 80. This works fine.

I would like another HandleHTTPRequest running on 443, using my signed certificate. I have verified to the best of my ability that the certificate store is valid, and the SSLContextService is happy to start with it. Additionally, the NiFi interface is being served over HTTPS on port 8443 without issue.

When I try to start the processor, it "starts" with repeated errors every few seconds starting that it failed to start. Looking in the log, it says the port is in use. A NetStat shows the NiFi process as the one listening on 443.

Things checked/tried:

* port is not in use before starting NiFi processor

* ports other than 443 also fail

* disabling secure web interface doesn't have an impact

* fresh instance booted from 1.3.0 Docker image has no impact

* context service won't start if known invalid data is entered (it's able to read the certificate store when given correct password and starts without issue).

What would cause it to open a listener on a port and then immediately fail to bind the processor to that port? Is there anything I'm missing?

3,021 Views
0 Kudos
6 REPLIES 6

avatar
author-rank aanghel author-rank
Super Collaborator

Created ‎06-12-2017 01:57 PM

@Justin R.

This sounds odd. In Linux, non-root users cannot listen on ports bellow 1024, so are you running NiFi as root? That wouldn't be advisable.

What is the complete stacktrace of the error? Maybe there is another nifi processor listening?

2,547 Views
0 Kudos

avatar
author-rank jrittenh
Explorer

Created ‎06-12-2017 02:31 PM

Yes, running as root, mainly to troubleshoot this issue. This is just our pre-production environment, it's not publicly accessible, we have a configuration backup in place, and it's a VM that can be tossed, so we're not terribly worried about it. We've tried high ports (4430, 4043, 44300, 44003...) as both a user and as root, but neither works. I failed to grab the stack trace last week, and we got a working solution in place using an nginx server functioning as a proxy, but I may go down the route of recreating it to see if we can't figure out why it's doing what it's doing.

2,547 Views
0 Kudos

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎06-12-2017 02:12 PM

@Justin R.

Is this a NiFi cluster installation with multiple nodes running on the same host?

If that is the case, which ever node manages to bind to the port first wins, all other nodes on same host will report that port is already in use.

Matt

2,547 Views
0 Kudos

avatar
author-rank jrittenh
Explorer

Created ‎06-12-2017 02:59 PM

Not a cluster, it's a single node on a single VM. It's definitely the only NiFi process on the machine and that process is "bound" to the port, even if Java is convinced otherwise.

2,547 Views
0 Kudos

avatar
author-rank Sivan_sasidhara
New Contributor

Created ‎12-21-2017 12:51 PM

Hi @Justin R., where you able to resolve this ?

2,547 Views
0 Kudos

avatar
author-rank jlvila
Explorer

Created ‎03-01-2018 08:16 PM

I had the same problem because I would like to reuse keystore created to securized Nifi UI and because of the usage dedicated to Nifi (TLS including client authentication), it can't be simply use to activate TLS.

Symptom: java.net.BindException: Address already in use: bind

Clue: If you search for the the first exception, in my case, it was "java.security.UnrecoverableKeyException: Cannot recover key"

So I guess, the server can't get the key even if SSLContext starts correctly and, as the server starts anormally, Nifi tries to restart and then a Bind exception raises.

I just regenerated a very classic jks store for server authentication usage using keytool -genkey ... and all went like a charm ...

Hope that help

Jean-Louis

,

I had the same problem because I would like to reuse keystore created to securized Nifi UI and because of the usage dedicated to Nifi (TLS including client authentication), it can't be simply use to activate TLS.

Symptom: java.net.BindException: Address already in use: bind

Clue: If you search for the the first exception, in my case, it was "java.security.UnrecoverableKeyException: Cannot recover key"

So I guess, the server can't get the key even if SSLContext start correctly !!

I just regenerated a very classic jks store for server authentication usage using keytool -genkey ... and all went like a charm ...

Hope that help

2,547 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements