2018-11-06 13:57:47,642] ERROR [Consumer clientId=consumer-1, groupId=console-consumer-41935] Connection to node -1 failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2018-11-06 13:57:47,646] ERROR Authentication failed: terminating consumer process (kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.kafka.common.network.SslTransportLayer.handshakeWrap(SslTransportLayer.java:439)
at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:304)
at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:258)
at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:125)
at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:487)
at org.apache.kafka.common.network.Selector.poll(Selector.java:425)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:510)
at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:271)
at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:242)
at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:218)
at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:230)
at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:314)
at org.apache.kafka.clients.consumer.KafkaConsumer.updateAssignmentMetadataIfNeeded(KafkaConsumer.java:1218)
at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1181)
at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1115)
at kafka.tools.ConsoleConsumer$ConsumerWrapper.<init>(ConsoleConsumer.scala:387)
at kafka.tools.ConsoleConsumer$.run(ConsoleConsumer.scala:71)
at kafka.tools.ConsoleConsumer$.main(ConsoleConsumer.scala:53)
at kafka.tools.ConsoleConsumer.main(ConsoleConsumer.scala)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:393)
at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:473)
at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:331)
... 17 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:144)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 26 more
昵称
0 声望
这家伙太懒,什么都没留下
这个错误通常发生在 SSL/TLS 连接中,当 SSL/TLS 服务器使用了一个没有包含正确主机名的证书时,就会发生该错误。这意味着 SSL/TLS 客户端无法验证 SSL/TLS 服务器的身份,因为没有提供与主机名相匹配的主题替代名称(SAN)或通配符名称。解决这个问题的方法是,在 SSL/TLS 服务器的证书中包含正确的 SAN 或通配符名称,以便 SSL/TLS 客户端可以验证证书并与服务器建立安全连接。
看起来你的 brokers 证书中缺少Subject(Subject Alternative Name,SAN)(例如 /var/private/ssl/kafka.server.truststore.jks)。
请在 keytool 命令中添加参数
-ext SAN=DNS:{FQDN}
:keytool \ -keystore kafka.server.keystore.jks -alias localhost -validity {validity} -genkey -keyalg RSA -ext SAN=DNS:{FQDN}
在创建服务器密钥库时,请确保包括 SAN:
如果启用主机名验证,则客户端将针对以下两个字段之一验证服务器的完全限定域名(FQDN):
这两个字段都是有效的,但是 RFC-2818 建议使用 SAN。SAN 也更灵活,允许声明多个 DNS 条目。另一个好处是,CN 可以设置为更有意义的值,用于授权目的。
或者,你可以选择禁用服务器主机验证:
通过将
ssl.endpoint.identification.algorithm
设置为空字符串来禁用服务器主机名验证。因此,你只需要在 server.properties 中设置以下配置,然后重新启动 Kafka 集群即可:
参考:https://www.orchome.com/171
注意,仅在生成密钥对时包含“SAN”是不够的。
keytool \ -keystore kafka.server.keystore.jks \ -alias {alias} \ -validity {validity} \ -genkey \ -keyalg RSA \ -ext SAN=DNS:{FQDN}
这需要在创建证书签名请求时也包括“SAN”。
keytool \ -keystore kafka.server.keystore.jks \ -alias {alias} \ -certreq -ext SAN=DNS:{FQDN} -file {csr_filename}
可以验证创建的证书签名请求,并且应该具有相关的“SAN”。
最后,如果使用openssl的x509命令来满足证书签名请求,则应特别注意明确包括x509版本3扩展名。 "SAN"就是这样的扩展名,除非明确包含,否则将无法进入最终发出的证书。
这个是consumer的错误日志 producer错误和它一样
No subject alternative names present
你的错误,google下吧,很多
请问这个问题解决了吗?
这个问题怎么解决的,kafka配置ssl,同样的错误
你的答案