英文:
Kafka General A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings
问题
I try to start kafka in docker with this docker compose file in two different hosts:
version: "2"
services:
zookeeper:
image: confluentinc/cp-zookeeper:5.5.7
restart: unless-stopped
container_name: zookeeper
ports:
- "2181:2181"
environment:
ZOOKEEPER_TICK_TIME: 2000
ZOOKEEPER_CLIENT_PORT: 2181
kafka:
image: confluentinc/cp-kafka:5.5.7
restart: unless-stopped
container_name: kafka
depends_on:
- zookeeper
ports:
- "9092:9092"
environment:
KAFKA_BROKER_ID: 1
KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
KAFKA_LISTENERS: SSL://:9092
KAFKA_ADVERTISED_LISTENERS: SSL://:9092
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1
KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1
KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
KAFKA_AUTO_CREATE_TOPICS_ENABLE: false
KAFKA_DELETE_TOPIC_ENABLE: true
KAFKA_SSL_KEYSTORE_FILENAME: broker.keystore.jks
KAFKA_SSL_KEYSTORE_CREDENTIALS: pass
KAFKA_SSL_KEY_CREDENTIALS: pass
KAFKA_SSL_TRUSTSTORE_FILENAME: broker.truststore.jks
KAFKA_SSL_TRUSTSTORE_CREDENTIALS: pass
KAFKA_SSL_CLIENT_AUTH: requested
KAFKA_SECURITY_PROTOCOL: SSL
KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: ""
KAFKA_SECURITY_INTER_BROKER_PROTOCOL: SSL
volumes:
- ./secrets:/etc/kafka/secrets
At one host everything is fine, but at another I get error:
"Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.KafkaException: org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: General SSLEngine problem for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings."
I use different certificates. Only difference, as I see, it's different signature algorithm - at the host where everything is good, it's SHA-512 with RSA, and where I have an error, it's SHA-384 with ECDSA and different key size - 2048 bits vs 4096. But as I find on Google, Kafka will work with both of them. And I haven't the possibility to change certificates - I need to find a solution with these certs.
What can be the cause of this error?
英文:
I try to start kafka in docker with this docker compose file in two different hosts:
version: "2"
services:
zookeeper:
image: confluentinc/cp-zookeeper:5.5.7
restart: unless-stopped
container_name: zookeeper
ports:
- "2181:2181"
environment:
ZOOKEEPER_TICK_TIME: 2000
ZOOKEEPER_CLIENT_PORT: 2181
kafka:
image: confluentinc/cp-kafka:5.5.7
restart: unless-stopped
container_name: kafka
depends_on:
- zookeeper
ports:
- "9092:9092"
environment:
KAFKA_BROKER_ID: 1
KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
KAFKA_LISTENERS: SSL://:9092
KAFKA_ADVERTISED_LISTENERS: SSL://:9092
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1
KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1
KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
KAFKA_AUTO_CREATE_TOPICS_ENABLE: false
KAFKA_DELETE_TOPIC_ENABLE: true
KAFKA_SSL_KEYSTORE_FILENAME: broker.keystore.jks
KAFKA_SSL_KEYSTORE_CREDENTIALS: pass
KAFKA_SSL_KEY_CREDENTIALS: pass
KAFKA_SSL_TRUSTSTORE_FILENAME: broker.truststore.jks
KAFKA_SSL_TRUSTSTORE_CREDENTIALS: pass
KAFKA_SSL_CLIENT_AUTH: requested
KAFKA_SECURITY_PROTOCOL: SSL
KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: " "
KAFKA_SECURITY_INTER_BROKER_PROTOCOL: SSL
volumes:
- ./secrets:/etc/kafka/secrets
At one host everything is fine, but at another I get error
"Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.KafkaException: org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: General SSLEngine problem for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings."
I use different certificates. Only difference, as I see, it's different signature algorithm - at host where all good it's SHA-512 with RSA, and where I have an error it's SHA-384 with ECDSA and different key size - 2048 bits vs 4096. But as I find in Google, kafka will work with both of them. And I haven't possibility to change certificates - I need to find solution with this certs.
What can be cause of this error?
答案1
得分: 1
我找到解决方案。问题出在我使用的证书上 - 它的密钥用途字段中没有包含“客户端身份验证”。当我尝试运行Kafka的最新版本时,它给我关于密钥用途字段的错误。
英文:
I found solution. Problem was in certificate that I used - it didn't contain in the key usage field "Client Authentication". I found it when I tried to run latest version of kafka and this version gave me error about key usage field.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论