请问kafka ssl 的Failed to load SSL keystore /usr/local/kafka2.3/server.keystore.jks of type JKS是为什么呀

ln 发表于: 2019-08-12   最后更新时间: 2019-08-12 18:06:48   12,111 游览

kafka2.11配置ssl,出现报错

ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /usr/local/kafka/server.keystore.jks of type JKS

我的config/server.properties配置如下

listeners=PLAINTEXT://192.168.8.132:9092,SSL://192.168.8.132:9093

ssl.client.auth=required

ssl.keystore.location=/usr/local/kafka/server.keystore.jks
ssl.keystore.password=luonan
ssl.key.password=luonan
ssl.truststore.location=/usr/local/kafka/server.truststore.jks
ssl.truststore.password=luonan

ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.type = JKS
ssl.truststore.type = JKS

security.inter.broker.protocol = SSL

[root@localhost kafka2.3]# ll /usr/local/kafka/server.keystore.jks
-rw-r--r--. 1 root root 3199 Aug 12 00:14 /usr/local/kafka/server.keystore.jks

这些文件也是存在的,请问是什么原因呢

发表于 2019-08-12
ln
添加评论

先看看有没有权限,上面只是说失败的加载。
另外可参考:https://www.orchome.com/500

ln -> 半兽人 5年前

我这个不是配置Kerberos,是配置ssl。我把/usr/local/kafka/server.keystore.jks都设置成777了。也是不行啊

-rwxrwxrwx. 1 root root  3199 Aug 12 00:14 server.keystore.jks
-rwxrwxrwx. 1 root root   984 Aug 12 00:11 server.truststore.jks
-rwxrwxrwx. 1 root root   984 Aug 12 00:12 client.truststore.jks

还是报这个错误,Failed to load SSL keystore /usr/local/kafka/server.keystore.jks of type JKS
请问这个错误之前大神你有遇到过吗

半兽人 -> ln 5年前

你的JDK的加密限制替换了吗?
还有ssl.endpoint.identification.algorithm=HTTPS
https://www.orchome.com/1822

ln -> 半兽人 5年前

请问大神在执行密钥生成的最后一步时报这个错误

[root@localhost kafka]# keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed
Enter keystore password:
keytool error: java.lang.Exception: Reply has no certificates

这个意思是已经签名的证书没有吗?是不是这个错误导致了“Failed to load SSL keystore”,如果是,请问这个问题怎么解决

加密限制已经替换,替换成 jce_policy-8
也已经导入jdk

[root@localhost UnlimitedJCEPolicyJDK8]# ls /usr/local/jdk/jre/lib/security/
blacklist blacklisted.certs cacerts java.policy java.security javaws.policy local_policy.jar policy README.txt trusted.libraries US_export_policy.jar

ln -> 半兽人 5年前
[root@localhost kafka]# openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:test1234
Signature ok
subject=/C=ln/ST=ln/L=ln/O=ln/OU=ln/CN=ln
Getting CA Private Key
unable to load CA Private Key
140107397314464:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:604:
140107397314464:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:104:
140107397314464:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130:
140107397314464:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132:

在签名证书的时候又这个报错,但是我见到“Signature ok”就没在意之后的错误,请问是不是这个错误导致

ln -> 半兽人 5年前

问题已经解决!是因为在

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:test1234

的pass里我不是采用 test1234 来进行

keytool -keystore server.keystore.jks -alias localhost -validity 365 -keyalg RSA -genkey server.keystore.jks

的生成

这两个采用的是一样的密码才可以,多谢大神

ln -> 半兽人 5年前

但是又有一个新问题

[root@localhost bin]# ./kafka-console-producer.sh --broker-list 192.168.8.132:9093 --topic test --producer.config client-ssl.properties
>l
[2019-08-12 20:20:25,651] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
[2019-08-12 20:20:25,727] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
[2019-08-12 20:20:25,897] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
[2019-08-12 20:20:26,116] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
[2019-08-12 20:20:26,614] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
[2019-08-12 20:20:27,408] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
[2019-08-12 20:20:28,582] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
[2019-08-12 20:20:29,713] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
[2019-08-12 20:20:30,787] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
[2019-08-12 20:20:31,667] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
^Corg.apache.kafka.common.KafkaException: Producer closed while send in progress
    at org.apache.kafka.clients.producer.KafkaProducer.doSend(KafkaProducer.java:862)
    at org.apache.kafka.clients.producer.KafkaProducer.send(KafkaProducer.java:839)
    at kafka.tools.ConsoleProducer$.send(ConsoleProducer.scala:75)
    at kafka.tools.ConsoleProducer$.main(ConsoleProducer.scala:57)
    at kafka.tools.ConsoleProducer.main(ConsoleProducer.scala)
Caused by: org.apache.kafka.common.KafkaException: Requested metadata update after close
    at org.apache.kafka.clients.Metadata.awaitUpdate(Metadata.java:200)
    at org.apache.kafka.clients.producer.KafkaProducer.waitOnMetadata(KafkaProducer.java:982)
    at org.apache.kafka.clients.producer.KafkaProducer.doSend(KafkaProducer.java:859)

我的client-ssl.properties 是这样写的

security.protocol=SSL
ssl.truststore.location=/usr/local/kafka/client.truststore.jks
ssl.truststore.password=123456
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.truststore.type = JKS
ssl.keystore.type = JKS
[root@localhost bin]# ll /usr/local/kafka/client.truststore.jks
-rw-r--r--. 1 root root 984 Aug 12 19:40 /usr/local/kafka/client.truststore.jks

这个client.truststore.jks也存在
请问为什么呢

半兽人 -> ln 5年前

凭证无效,导致认证失败了。
你每一步做完后,验证一下。

ln -> 半兽人 5年前
[root@localhost bin]# ./kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test1 --consumer.config client-ssl.properties
[2019-08-13 00:29:40,547] ERROR [Consumer clientId=consumer-1, groupId=console-consumer-43513] Connection to node -1 (localhost/127.0.0.1:9093) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2019-08-13 00:29:40,549] ERROR Error processing message, terminating consumer process:  (kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
    at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
    at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
    at org.apache.kafka.common.network.SslTransportLayer.handshakeWrap(SslTransportLayer.java:447)
    at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:312)
    at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265)
    at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:129)
    at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:532)
    at org.apache.kafka.common.network.Selector.poll(Selector.java:467)
    at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:535)
    at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:265)
    at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:236)
    at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:215)
    at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:231)
    at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:316)
    at org.apache.kafka.clients.consumer.KafkaConsumer.updateAssignmentMetadataIfNeeded(KafkaConsumer.java:1214)
    at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1179)
    at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1164)
    at kafka.tools.ConsoleConsumer$ConsumerWrapper.receive(ConsoleConsumer.scala:436)
    at kafka.tools.ConsoleConsumer$.process(ConsoleConsumer.scala:104)
    at kafka.tools.ConsoleConsumer$.run(ConsoleConsumer.scala:76)
    at kafka.tools.ConsoleConsumer$.main(ConsoleConsumer.scala:54)
    at kafka.tools.ConsoleConsumer.main(ConsoleConsumer.scala)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
    at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:401)
    at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:483)
    at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:339)
    ... 18 more
Caused by: java.security.cert.CertificateException: No name matching localhost found
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)

请问No name matching localhost found 是为什么

半兽人 -> ln 5年前

localhost是你的机器名

半兽人 -> 半兽人 5年前

账号之间的关系,你一定要先理清楚额。

ZER0 -> 半兽人 5年前

你好,请问“凭证无效,导致认证失败了。
你每一步做完后,验证一下。”是什么意思?应该怎么验证啊。我遇到了与这个同样的错误,是拉取消息的时候报错的,但是前面kerberos认证已经通过了

tiiimo -> 半兽人 3年前

你好,有kafka ssl认证方式的kafka安装教程吗

你的答案

查看kafka相关的其他问题或提一个您自己的问题