关于Kafka ssl启动后SSL handshake failed Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem错误

zzz 发表于: 2018-11-06   最后更新时间: 2023-03-02 14:52:55   16,841 游览
2018-11-06 13:57:47,642] ERROR [Consumer clientId=consumer-1, groupId=console-consumer-41935] Connection to node -1 failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2018-11-06 13:57:47,646] ERROR Authentication failed: terminating consumer process (kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
    at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
    at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
    at org.apache.kafka.common.network.SslTransportLayer.handshakeWrap(SslTransportLayer.java:439)
    at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:304)
    at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:258)
    at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:125)
    at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:487)
    at org.apache.kafka.common.network.Selector.poll(Selector.java:425)
    at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:510)
    at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:271)
    at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:242)
    at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:218)
    at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:230)
    at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:314)
    at org.apache.kafka.clients.consumer.KafkaConsumer.updateAssignmentMetadataIfNeeded(KafkaConsumer.java:1218)
    at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1181)
    at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1115)
    at kafka.tools.ConsoleConsumer$ConsumerWrapper.<init>(ConsoleConsumer.scala:387)
    at kafka.tools.ConsoleConsumer$.run(ConsoleConsumer.scala:71)
    at kafka.tools.ConsoleConsumer$.main(ConsoleConsumer.scala:53)
    at kafka.tools.ConsoleConsumer.main(ConsoleConsumer.scala)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
    at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:393)
    at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:473)
    at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:331)
    ... 17 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
    at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:144)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)

    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
    ... 26 more
发表于 2018-11-06
添加评论

这个错误通常发生在 SSL/TLS 连接中,当 SSL/TLS 服务器使用了一个没有包含正确主机名的证书时,就会发生该错误。这意味着 SSL/TLS 客户端无法验证 SSL/TLS 服务器的身份,因为没有提供与主机名相匹配的主题替代名称(SAN)或通配符名称。解决这个问题的方法是,在 SSL/TLS 服务器的证书中包含正确的 SAN 或通配符名称,以便 SSL/TLS 客户端可以验证证书并与服务器建立安全连接。

看起来你的 brokers 证书中缺少Subject(Subject Alternative Name,SAN)(例如 /var/private/ssl/kafka.server.truststore.jks)。

请在 keytool 命令中添加参数 -ext SAN=DNS:{FQDN}

keytool \
-keystore kafka.server.keystore.jks
-alias localhost
-validity {validity}
-genkey
-keyalg RSA
-ext SAN=DNS:{FQDN}

在创建服务器密钥库时,请确保包括 SAN:

如果启用主机名验证,则客户端将针对以下两个字段之一验证服务器的完全限定域名(FQDN):

  1. 通用名称(Common Name,CN)
  2. 主题备用名称(Subject Alternative Name,SAN)

这两个字段都是有效的,但是 RFC-2818 建议使用 SAN。SAN 也更灵活,允许声明多个 DNS 条目。另一个好处是,CN 可以设置为更有意义的值,用于授权目的。

或者,你可以选择禁用服务器主机验证:

通过将 ssl.endpoint.identification.algorithm 设置为空字符串来禁用服务器主机名验证。

因此,你只需要在 server.properties 中设置以下配置,然后重新启动 Kafka 集群即可:

ssl.endpoint.identification.algorithm=

参考:https://www.orchome.com/171

注意,仅在生成密钥对时包含“SAN”是不够的。

keytool \ 
    -keystore kafka.server.keystore.jks \
    -alias {alias} \
    -validity {validity} \
    -genkey \
    -keyalg RSA \
    -ext SAN=DNS:{FQDN}

这需要在创建证书签名请求时也包括“SAN”。

keytool \ 
    -keystore kafka.server.keystore.jks \ 
    -alias {alias} \ 
    -certreq -ext SAN=DNS:{FQDN} 
    -file {csr_filename}

可以验证创建的证书签名请求,并且应该具有相关的“SAN”。

keytool \ 
    -v -printcertreq -file {csr_filename}

最后,如果使用openssl的x509命令来满足证书签名请求,则应特别注意明确包括x509版本3扩展名。 "SAN"就是这样的扩展名,除非明确包含,否则将无法进入最终发出的证书。

这个是consumer的错误日志  producer错误和它一样

半兽人 -> zzz 6年前

No subject alternative names present
你的错误,google下吧,很多

请问这个问题解决了吗?

这个问题怎么解决的,kafka配置ssl,同样的错误

你的答案

查看kafka相关的其他问题或提一个您自己的问题