kafka2.11配置ssl,出现报错
ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /usr/local/kafka/server.keystore.jks of type JKS
我的config/server.properties配置如下
listeners=PLAINTEXT://192.168.8.132:9092,SSL://192.168.8.132:9093
ssl.client.auth=required
ssl.keystore.location=/usr/local/kafka/server.keystore.jks
ssl.keystore.password=luonan
ssl.key.password=luonan
ssl.truststore.location=/usr/local/kafka/server.truststore.jks
ssl.truststore.password=luonan
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.type = JKS
ssl.truststore.type = JKS
security.inter.broker.protocol = SSL
[root@localhost kafka2.3]# ll /usr/local/kafka/server.keystore.jks
-rw-r--r--. 1 root root 3199 Aug 12 00:14 /usr/local/kafka/server.keystore.jks
这些文件也是存在的,请问是什么原因呢
先看看有没有权限,上面只是说失败的加载。
另外可参考:https://www.orchome.com/500
我这个不是配置Kerberos,是配置ssl。我把
/usr/local/kafka/server.keystore.jks都设置成777了。也是不行啊-rwxrwxrwx. 1 root root 3199 Aug 12 00:14 server.keystore.jks -rwxrwxrwx. 1 root root 984 Aug 12 00:11 server.truststore.jks -rwxrwxrwx. 1 root root 984 Aug 12 00:12 client.truststore.jks还是报这个错误,
Failed to load SSL keystore /usr/local/kafka/server.keystore.jks of type JKS请问这个错误之前大神你有遇到过吗
你的JDK的加密限制替换了吗?
还有ssl.endpoint.identification.algorithm=HTTPS
https://www.orchome.com/1822
请问大神在执行密钥生成的最后一步时报这个错误
这个意思是已经签名的证书没有吗?是不是这个错误导致了“Failed to load SSL keystore”,如果是,请问这个问题怎么解决
加密限制已经替换,替换成 jce_policy-8
也已经导入jdk
[root@localhost kafka]# openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:test1234 Signature ok subject=/C=ln/ST=ln/L=ln/O=ln/OU=ln/CN=ln Getting CA Private Key unable to load CA Private Key 140107397314464:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:604: 140107397314464:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:104: 140107397314464:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130: 140107397314464:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132:在签名证书的时候又这个报错,但是我见到“Signature ok”就没在意之后的错误,请问是不是这个错误导致
问题已经解决!是因为在
的pass里我不是采用 test1234 来进行
的生成
这两个采用的是一样的密码才可以,多谢大神
但是又有一个新问题
[root@localhost bin]# ./kafka-console-producer.sh --broker-list 192.168.8.132:9093 --topic test --producer.config client-ssl.properties >l [2019-08-12 20:20:25,651] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:25,727] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:25,897] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:26,116] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:26,614] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:27,408] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:28,582] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:29,713] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:30,787] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:31,667] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) ^Corg.apache.kafka.common.KafkaException: Producer closed while send in progress at org.apache.kafka.clients.producer.KafkaProducer.doSend(KafkaProducer.java:862) at org.apache.kafka.clients.producer.KafkaProducer.send(KafkaProducer.java:839) at kafka.tools.ConsoleProducer$.send(ConsoleProducer.scala:75) at kafka.tools.ConsoleProducer$.main(ConsoleProducer.scala:57) at kafka.tools.ConsoleProducer.main(ConsoleProducer.scala) Caused by: org.apache.kafka.common.KafkaException: Requested metadata update after close at org.apache.kafka.clients.Metadata.awaitUpdate(Metadata.java:200) at org.apache.kafka.clients.producer.KafkaProducer.waitOnMetadata(KafkaProducer.java:982) at org.apache.kafka.clients.producer.KafkaProducer.doSend(KafkaProducer.java:859)我的client-ssl.properties 是这样写的
security.protocol=SSL ssl.truststore.location=/usr/local/kafka/client.truststore.jks ssl.truststore.password=123456 ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1 ssl.truststore.type = JKS ssl.keystore.type = JKS [root@localhost bin]# ll /usr/local/kafka/client.truststore.jks -rw-r--r--. 1 root root 984 Aug 12 19:40 /usr/local/kafka/client.truststore.jks这个client.truststore.jks也存在
请问为什么呢
凭证无效,导致认证失败了。
你每一步做完后,验证一下。
[root@localhost bin]# ./kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test1 --consumer.config client-ssl.properties [2019-08-13 00:29:40,547] ERROR [Consumer clientId=consumer-1, groupId=console-consumer-43513] Connection to node -1 (localhost/127.0.0.1:9093) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient) [2019-08-13 00:29:40,549] ERROR Error processing message, terminating consumer process: (kafka.tools.ConsoleConsumer$) org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197) at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165) at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) at org.apache.kafka.common.network.SslTransportLayer.handshakeWrap(SslTransportLayer.java:447) at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:312) at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265) at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:129) at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:532) at org.apache.kafka.common.network.Selector.poll(Selector.java:467) at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:535) at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:265) at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:236) at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:215) at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:231) at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:316) at org.apache.kafka.clients.consumer.KafkaConsumer.updateAssignmentMetadataIfNeeded(KafkaConsumer.java:1214) at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1179) at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1164) at kafka.tools.ConsoleConsumer$ConsumerWrapper.receive(ConsoleConsumer.scala:436) at kafka.tools.ConsoleConsumer$.process(ConsoleConsumer.scala:104) at kafka.tools.ConsoleConsumer$.run(ConsoleConsumer.scala:76) at kafka.tools.ConsoleConsumer$.main(ConsoleConsumer.scala:54) at kafka.tools.ConsoleConsumer.main(ConsoleConsumer.scala) Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:401) at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:483) at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:339) ... 18 more Caused by: java.security.cert.CertificateException: No name matching localhost found at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231) at sun.security.util.HostnameChecker.match(HostnameChecker.java:96) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)请问No name matching localhost found 是为什么
localhost是你的机器名
账号之间的关系,你一定要先理清楚额。
你好,请问“凭证无效,导致认证失败了。
你每一步做完后,验证一下。”是什么意思?应该怎么验证啊。我遇到了与这个同样的错误,是拉取消息的时候报错的,但是前面kerberos认证已经通过了
你好,有kafka ssl认证方式的kafka安装教程吗
可参考:kafka实战SSL
你的答案