Kafka控制器无法连接到代理

yhived7q  于 2021-06-07  发布在  Kafka
关注(0)|答案(1)|浏览(503)

我有一个3节点的kafka集群(版本0.10.1.0)。我遵循了Kafka安全文件的步骤。以下是我的Kafka服务器的相关配置。

listeners=SSL://myhostname:9093
security.inter.broker.protocol=SSL
advertised.listeners=SSL://myhostname:9093

# In order to enable hostname verification

ssl.endpoint.identification.algorithm=HTTPS

ssl.client.auth=required

# certificate file locations

ssl.keystore.location=/location/server1.keystore.jks
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.truststore.location=/location/server.truststore.jks
ssl.truststore.password=changeit

# Supported TLS versions

ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1

我为所有kafka服务器定义了3个不同的密钥库,并用相同的ca对它们进行了签名。当我启动kafka服务器时,控制器日志会不断记录以下警告日志。

WARN [Controller-0-to-broker-2-send-thread], Controller 0's connection to broker host3:9093 (id: 2 rack: null) was unsuccessful (kafka.controller.RequestSendThread)
java.io.IOException: Connection to host3:9093 (id: 2 rack: null) failed
    at kafka.utils.NetworkClientBlockingOps$.awaitReady$1(NetworkClientBlockingOps.scala:83)
    at kafka.utils.NetworkClientBlockingOps$.blockingReady$extension(NetworkClientBlockingOps.scala:93)
    at kafka.controller.RequestSendThread.brokerReady(ControllerChannelManager.scala:230)
    at kafka.controller.RequestSendThread.liftedTree1$1(ControllerChannelManager.scala:182)
    at kafka.controller.RequestSendThread.doWork(ControllerChannelManager.scala:181)
    at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:63)
WARN [Controller-0-to-broker-0-send-thread], Controller 0's connection to broker host1:9093 (id: 0 rack: null) was unsuccessful (kafka.controller.RequestSendThread)
java.io.IOException: Connection to host1:9093 (id: 0 rack: null) failed
    at kafka.utils.NetworkClientBlockingOps$.awaitReady$1(NetworkClientBlockingOps.scala:83)
    at kafka.utils.NetworkClientBlockingOps$.blockingReady$extension(NetworkClientBlockingOps.scala:93)
    at kafka.controller.RequestSendThread.brokerReady(ControllerChannelManager.scala:230)
    at kafka.controller.RequestSendThread.liftedTree1$1(ControllerChannelManager.scala:182)
    at kafka.controller.RequestSendThread.doWork(ControllerChannelManager.scala:181)
    at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:63)
WARN [Controller-0-to-broker-1-send-thread], Controller 0's connection to broker host2:9093 (id: 1 rack: null) was unsuccessful (kafka.controller.RequestSendThread)
java.io.IOException: Connection to host2:9093 (id: 1 rack: null) failed
    at kafka.utils.NetworkClientBlockingOps$.awaitReady$1(NetworkClientBlockingOps.scala:83)
    at kafka.utils.NetworkClientBlockingOps$.blockingReady$extension(NetworkClientBlockingOps.scala:93)
    at kafka.controller.RequestSendThread.brokerReady(ControllerChannelManager.scala:230)
    at kafka.controller.RequestSendThread.liftedTree1$1(ControllerChannelManager.scala:182)
    at kafka.controller.RequestSendThread.doWork(ControllerChannelManager.scala:181)
    at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:63)

在我看来,这比警告更严重。
你知道有什么问题吗?
提前谢谢。

dohp0rv5

dohp0rv51#

我发现了这个问题,它是关于证书创建的。请参阅confluent的文档,其中说明:
确保公用名(cn)与服务器的完全限定域名(fqdn)完全匹配。客户端将cn与dns域名进行比较,以确保它确实连接到所需的服务器,而不是恶意服务器。
我重新生成证书,它成功了!

相关问题