Kafka General A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings

huangapple go评论69阅读模式
英文:

Kafka General A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings

问题

I try to start kafka in docker with this docker compose file in two different hosts:

version: "2"
services:
  zookeeper:
    image: confluentinc/cp-zookeeper:5.5.7
    restart: unless-stopped
    container_name: zookeeper
    ports:
        - "2181:2181"
    environment: 
        ZOOKEEPER_TICK_TIME: 2000
        ZOOKEEPER_CLIENT_PORT: 2181
  kafka:
    image: confluentinc/cp-kafka:5.5.7
    restart: unless-stopped
    container_name: kafka
    depends_on:
        - zookeeper
    ports:
        - "9092:9092"
    environment:
        KAFKA_BROKER_ID: 1
        KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
        KAFKA_LISTENERS: SSL://:9092
        KAFKA_ADVERTISED_LISTENERS: SSL://:9092
        KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
        KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1
        KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1
        KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
        KAFKA_AUTO_CREATE_TOPICS_ENABLE: false
        KAFKA_DELETE_TOPIC_ENABLE: true
        KAFKA_SSL_KEYSTORE_FILENAME: broker.keystore.jks
        KAFKA_SSL_KEYSTORE_CREDENTIALS: pass
        KAFKA_SSL_KEY_CREDENTIALS: pass
        KAFKA_SSL_TRUSTSTORE_FILENAME: broker.truststore.jks
        KAFKA_SSL_TRUSTSTORE_CREDENTIALS: pass
        KAFKA_SSL_CLIENT_AUTH: requested
        KAFKA_SECURITY_PROTOCOL: SSL
        KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: ""
        KAFKA_SECURITY_INTER_BROKER_PROTOCOL: SSL
    volumes:
        - ./secrets:/etc/kafka/secrets

At one host everything is fine, but at another I get error:

"Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.KafkaException: org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: General SSLEngine problem for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings."

I use different certificates. Only difference, as I see, it's different signature algorithm - at the host where everything is good, it's SHA-512 with RSA, and where I have an error, it's SHA-384 with ECDSA and different key size - 2048 bits vs 4096. But as I find on Google, Kafka will work with both of them. And I haven't the possibility to change certificates - I need to find a solution with these certs.

What can be the cause of this error?

英文:

I try to start kafka in docker with this docker compose file in two different hosts:

version: "2"
services:
  zookeeper:
    image: confluentinc/cp-zookeeper:5.5.7
    restart: unless-stopped
    container_name: zookeeper
    ports:
        - "2181:2181"
    environment: 
        ZOOKEEPER_TICK_TIME: 2000
        ZOOKEEPER_CLIENT_PORT: 2181
  kafka:
    image: confluentinc/cp-kafka:5.5.7
    restart: unless-stopped
    container_name: kafka
    depends_on:
        - zookeeper
    ports:
        - "9092:9092"
    environment:
        KAFKA_BROKER_ID: 1
        KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
        KAFKA_LISTENERS: SSL://:9092
        KAFKA_ADVERTISED_LISTENERS: SSL://:9092
        KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
        KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1
        KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1
        KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
        KAFKA_AUTO_CREATE_TOPICS_ENABLE: false
        KAFKA_DELETE_TOPIC_ENABLE: true
        KAFKA_SSL_KEYSTORE_FILENAME: broker.keystore.jks
        KAFKA_SSL_KEYSTORE_CREDENTIALS: pass
        KAFKA_SSL_KEY_CREDENTIALS: pass
        KAFKA_SSL_TRUSTSTORE_FILENAME: broker.truststore.jks
        KAFKA_SSL_TRUSTSTORE_CREDENTIALS: pass
        KAFKA_SSL_CLIENT_AUTH: requested
        KAFKA_SECURITY_PROTOCOL: SSL
        KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: " "
        KAFKA_SECURITY_INTER_BROKER_PROTOCOL: SSL
    volumes:
        - ./secrets:/etc/kafka/secrets

At one host everything is fine, but at another I get error

"Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.KafkaException: org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: General SSLEngine problem for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings."

I use different certificates. Only difference, as I see, it's different signature algorithm - at host where all good it's SHA-512 with RSA, and where I have an error it's SHA-384 with ECDSA and different key size - 2048 bits vs 4096. But as I find in Google, kafka will work with both of them. And I haven't possibility to change certificates - I need to find solution with this certs.

What can be cause of this error?

答案1

得分: 1

我找到解决方案。问题出在我使用的证书上 - 它的密钥用途字段中没有包含“客户端身份验证”。当我尝试运行Kafka的最新版本时,它给我关于密钥用途字段的错误。

英文:

I found solution. Problem was in certificate that I used - it didn't contain in the key usage field "Client Authentication". I found it when I tried to run latest version of kafka and this version gave me error about key usage field.

huangapple
  • 本文由 发表于 2023年4月10日 23:09:11
  • 转载请务必保留本文链接:https://go.coder-hub.com/75978269.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定