You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by "Milakovic, Srdjan" <sm...@plex.com> on 2019/03/25 18:40:40 UTC

Kafka SSL setup - producer timing out

I am trying to set up a three node Kafka v1.1 cluster with SSL. I can consume messages via the SSL port but I cannot produce. The command is timing out after 60 seconds with the following error message:

ERROR Error when sending message to topic myTopic with key: null, value: 5 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
org.apache.kafka.common.errors.TimeoutException: Failed to update metadata after 60000 ms.

I am using the kafka-console-producer.sh and kafka-console-consumer.sh scripts on one of the broker nodes in order to do my testing. Both consumer and producer are using the same properties file (client-ssl-auth.properties) which looks like this:

security.protocol=SSL
ssl.truststore.location=/home/sshuser/ssl/kafka.server.truststore.jks
ssl.truststore.password=dummy_password
ssl.keystore.location=/home/sshuser/ssl/kafka.server.keystore.jks
ssl.keystore.password=dummy_password
ssl.key.password=dummy_password

This is how the consumer command looks:

./kafka-console-consumer.sh --bootstrap-server 10.0.0.36:9093 --topic myTopic --from-beginning --consumer.config client-ssl-auth.properties

This is how the producer command looks:

./kafka-console-producer.sh --broker-list 10.0.0.36:9093 --topic myTopic --producer.config client-ssl-auth.properties

I can verify the functionality of the consumer because I can consume messages that are produced over the non-encrypted port.

The advertised.listeners configuration is set to the broker IP instead of the broker FQDN like so:

advertised.listeners=PLAINTEXT://10.0.0.36:9092,SSL://10.0.0.36:9093

There are no SSL handshake errors in the server.log. This is what I was able to find in the server.log file on one of the nodes:

[2019-03-25 14:55:25,428] WARN [GroupCoordinator 1003]: Failed to write empty metadata for group console-consumer-21670: The group is rebalancing, so a rejoin is needed...

The commands behave the same regardless on which node I execute them on and regardless of the broker IP I use.

I can produce and consume messages on that topic via non-encrypted ports without issues.

Any help will be appreciated.

Thank you.