You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Giuseppe Ricci Sysman <ri...@sys-man.it> on 2021/11/21 14:12:32 UTC
SSl handshake failed
Hi,
I configured my Kafka installation (on a remote Ubuntu server with only 1
broker) with SSL (I generate all certificates needed), but when I try to
verify if it's ok with the command:
openssl s_client -debug -connect localhost:9093 -tls1
I have this reply:
CONNECTED(00000003)
write to 0x55e48b840750 [0x55e48b8512d0] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 50 ......P
139631163029312:error:141E70BF:SSL routines:tls_construct_client_hello:no
protocols available:../ssl/statem/statem_clnt.c:1112:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x55e48b840750 [0x55e48b834fe0] (8192 bytes => 0 (0x0))
and I suppose it is not ok.
If I try to create a topic with:
./bin/kafka-topics.sh --create --bootstrap-server localhost:9094
--command-config /home/kafka/kafka2_13_3/config/ssl-user-config.properties
--replication-factor 1 --partitions 1 --topic demo-topic
I receive the error:
[2021-11-21 13:49:55,854] ERROR [AdminClient clientId=adminclient-1]
Connection to node -1 (localhost/127.0.0.1:9094) failed authentication due
to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2021-11-21 13:49:55,855] WARN [AdminClient clientId=adminclient-1] Metadata
update failed due to authentication error
(org.apache.kafka.clients.admin.internals.AdminMetadataManager)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake
failed
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext
connection?
at
java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEng
ineInputRecord.java:146)
at
java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEng
ineInputRecord.java:64)
at
java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:557)
at
java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
at
java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
at
org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTranspo
rtLayer.java:509)
at
org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLa
yer.java:368)
at
org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLaye
r.java:291)
at
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178)
at
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543
)
at org.apache.kafka.common.network.Selector.poll(Selector.java:481)
at
org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:551)
at
org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processR
equests(KafkaAdminClient.java:1389)
at
org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(Kafk
aAdminClient.java:1320)
at java.base/java.lang.Thread.run(Thread.java:829)
Error while executing topic command : SSL handshake failed
Something went wrong?
This my server.properties (SSL configs):
listeners=PLAINTEXT://localhost:9092,SSL://localhost:9093,SASL_SSL://localho
st:9094
ssl.keystore.location=/home/kafka/ssl/kafka.server.keystore.jks
ssl.keystore.password=secret
ssl.key.password=secret
ssl.truststore.location=/home/kafka/ssl/kafka.server.truststore.jks
ssl.truststore.password= secret
advertised.listeners=PLAINTEXT://localhost:9092,SSL://localhost:9093,SASL_SS
L://localhost:9094
zookeeper.connect=localhost:2181
#security.inter.broker.protocol=SSL
#ssl.client.auth=required
#sasl.enabled.mechanisms=PLAIN
########### SECURITY using SCRAM-SHA-512 and SSL ###################
ssl.endpoint.identification.algorithm=https://localhost
ssl.client.auth=none
sasl.enabled.mechanisms=PLAIN
client.properties:
listeners=PLAINTEXT://localhost:9092,SSL://localhost:9093,SASL_SSL://localho
st:9094
#listeners=PLAINTEXT://:9092,SSL://:9093,SASL_SSL://:9094
ssl.keystore.location=/home/kafka/ssl/kafka.server.keystore.jks
ssl.keystore.password=secret
ssl.key.password=giuseppe
ssl.truststore.location=/home/kafka/ssl/kafka.server.truststore.jks
ssl.truststore.password=secret
advertised.listeners=PLAINTEXT://localhost:9092,SSL://localhost:9093,SASL_SS
L://localhost:9094
#advertised.listeners=PLAINTEXT://:9092,SSL://:9093,SASL_SSL://:9094
zookeeper.connect=localhost:2181
#security.inter.broker.protocol=SSL
#ssl.client.auth=required
#sasl.enabled.mechanisms=PLAIN
########### SECURITY using SCRAM-SHA-512 and SSL ###################
#security.inter.broker.protocol=SASL_SSL
ssl.endpoint.identification.algorithm=https://localhost
ssl.client.auth=required
#sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512
sasl.enabled.mechanisms=PLAIN
kafka_server_jaas
kafka@kafka2:~/kafka2_13_3/config$ vi server.properties
kafka@kafka2:~/kafka2_13_3/config$ vi kafka_server_jaas.conf
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="secret"
user_giuseppe="giuseppe"
user_client="client";
};
Client {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="giuseppe"
password="secret";
};
zoopeeker_server_jaas
Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_super="giuseppe"
user_giuseppe="giuseppe";
};
Client {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="giuseppe"
password="secret";
};
Any help is appreciated.
Best regards.
Giuseppe
--
Questa email รจ stata esaminata alla ricerca di virus da AVG.
http://www.avg.com