经过几次谷歌搜索和修复尝试没有成功,在这里我拼命打开这个职位。我是新的Kafka,并试图建立一个SSL启用Kafka。
为了提供可重现的场景,我使用以下脚本创建了信任库/密钥库:https://github.com/bitnami/containers/issues/44218#issuecomment-1677577552
然后,我将2个存储转换为PKCS 12格式(仍然得到与JKS类型相同的错误)
我的kafka-topics命令:
kafka-topics.sh --bootstrap-server "kafka:9092" --command-config=kafka-ssl.properties --list字符串
我的kafka-ssl.properties文件:
security.protocol=SSL
ssl.truststore.type=PKCS12
ssl.truststore.location=kafka.keystore.p12
ssl.truststore.password=a1234141aadfafwg
enable.ssl.certificate.verification=false
ssl.endpoint.identification.algorithm=型
从kafka-topics.sh调试日志中,我相信这些行可以指出问题所在:
javax.net.ssl|DEBUG|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.896 EEST|SSLCipher.java:1870|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|ALL|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.906 EEST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|WARNING|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.908 EEST|CertificateMessage.java:1084|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.908 EEST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|WARNING|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.909 EEST|CertificateMessage.java:1084|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.910 EEST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|WARNING|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.913 EEST|CertificateMessage.java:1084|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|ALL|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.914 EEST|X509Authentication.java:249|No X.509 cert selected for EdDSA
javax.net.ssl|WARNING|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.915 EEST|CertificateMessage.java:1084|Unavailable authentication scheme: ed25519
javax.net.ssl|ALL|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.916 EEST|X509Authentication.java:249|No X.509 cert selected for EdDSA
javax.net.ssl|WARNING|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.917 EEST|CertificateMessage.java:1084|Unavailable authentication scheme: ed448
javax.net.ssl|ALL|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.918 EEST|X509Authentication.java:249|No X.509 cert selected for RSA
javax.net.ssl|WARNING|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.919 EEST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pss_rsae_sha256
javax.net.ssl|ALL|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.920 EEST|X509Authentication.java:249|No X.509 cert selected for RSA
javax.net.ssl|WARNING|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.921 EEST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pss_rsae_sha384
javax.net.ssl|ALL|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.922 EEST|X509Authentication.java:249|No X.509 cert selected for RSA
javax.net.ssl|WARNING|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.923 EEST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pss_rsae_sha512
javax.net.ssl|ALL|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.924 EEST|X509Authentication.java:249|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|WARNING|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.924 EEST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pss_pss_sha256
javax.net.ssl|ALL|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.925 EEST|X509Authentication.java:249|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|WARNING|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.926 EEST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pss_pss_sha384
javax.net.ssl|ALL|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.936 EEST|X509Authentication.java:249|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|WARNING|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.938 EEST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pss_pss_sha512
javax.net.ssl|ALL|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.938 EEST|X509Authentication.java:249|No X.509 cert selected for RSA
javax.net.ssl|WARNING|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.939 EEST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.940 EEST|X509Authentication.java:249|No X.509 cert selected for RSA
javax.net.ssl|WARNING|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.941 EEST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.943 EEST|X509Authentication.java:249|No X.509 cert selected for RSA
javax.net.ssl|WARNING|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.944 EEST|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|WARNING|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.945 EEST|CertificateMessage.java:1094|No available authentication scheme
javax.net.ssl|DEBUG|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.946 EEST|CertificateMessage.java:1106|No available client authentication scheme
javax.net.ssl|DEBUG|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.947 EEST|CertificateMessage.java:1140|Produced client Certificate message (
"Certificate": {
"certificate_request_context": "",
"certificate_list": [
]
}
)
javax.net.ssl|DEBUG|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.952 EEST|CertificateVerify.java:1093|No X.509 credentials negotiated for CertificateVerify
javax.net.ssl|DEBUG|E0|kafka-admin-client-thread | adminclient-1|2023-10-17 13:20:45.956 EEST|Finished.java:687|Produced client Finished handshake message (
"Finished": {
"verify data": {
0000: 2A C0 7A 3E B1 71 45 CD 75 EC 87 4B FE 4D E8 FC *.z>.qE.u..K.M..
0010: 5F F2 2C CD DE 71 2C F9 40 45 18 39 BC ED 96 C5 _.,..q,[email protected]....
0020: 23 7D 99 EA 0B FD 4E 36 8B BA C5 08 90 97 F8 34 #.....N6.......4
}'}
)型
在Kafka服务器上,它只是说Empty client certificate chain:
[2023-10-17 13:20:45,993] DEBUG [SslTransportLayer channelId=192.168.4.121:9092-192.168.4.121:54490-0 key=channel=java.nio.channels.SocketChannel[connected local=/192.168.4.121:9092 remote=/192.168.4.121:54490], selector=sun.nio.ch.EPollSelectorImpl@6f6cd427, interestOps=1, readyOps=0] SSL Handshake failed (org.apache.kafka.common.network.SslTransportLayer)
javax.net.ssl.SSLHandshakeException: Empty client certificate chain
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
....
....
....
[2023-10-17 13:20:46,012] INFO [SocketServer listenerType=ZK_BROKER, nodeId=0] Failed authentication with /192.168.4.121 (channelId=192.168.4.121:9092-192.168.4.121:54490-0) (SSL handshake failed) (org.apache.kafka.common.network.Selector)型
欢迎任何帮助。
2条答案
按热度按时间uqxowvwt1#
看起来您已经为Broker配置了双向SSL,而客户端没有发送任何证书来验证自己。
This link may provide additional info on how to setup mTLS between the producer client and the kafka broker
cnwbcb6i2#
原因是我的
kafka-ssl.properties没有包括密钥库配置(通过ssl.keystore.xxx变量):mTLS配置的https://docs.confluent.io/platform/current/kafka/authentication_ssl.html中正确的
client-ssl.properties示例:字符串