Hi, We were using kafka for a while now. We have been using the binary release 2.10-0.8.2.1 . But we have been needing a encrypted communication between our publishers and subscribers. So we got 2.10-0.9.0.0. This works very well with no SSL enabled. But currently have issues with SSL enabled.
So configured SSL according to http://kafka.apache.org/documentation.html#security . And only place the following changes in the server.properties to enable SSL listeners=PLAINTEXT://servername:9092, SSL://servername:9093 # The port the socket server listens on #port=9092 # Hostname the broker will bind to. If not set, the server will bind to all interfaces host.name=servername # SSL Stuff # ssl.client.auth=required ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1 ssl.keystore.location=/pathto/certs/server.keystore.jks ssl.keystore.password=123456 ssl.key.password=123456 ssl.truststore.location=/pathto/certs/server.truststore.jks ssl.truststore.password=123456 At start up I see the following in the logs: advertised.host.name = servername metric.reporters = [] quota.producer.default = 9223372036854775807 offsets.topic.num.partitions = 50 log.flush.interval.messages = 9223372036854775807 auto.create.topics.enable = true controller.socket.timeout.ms = 30000 log.flush.interval.ms = null principal.builder.class = class org.apache.kafka.common.security.auth.DefaultPrincipalBuilder replica.socket.receive.buffer.bytes = 65536 min.insync.replicas = 1 replica.fetch.wait.max.ms = 500 num.recovery.threads.per.data.dir = 1 ssl.keystore.type = JKS default.replication.factor = 1 ssl.truststore.password = [hidden] log.preallocate = false sasl.kerberos.principal.to.local.rules = [DEFAULT] fetch.purgatory.purge.interval.requests = 1000 ssl.endpoint.identification.algorithm = null replica.socket.timeout.ms = 30000 message.max.bytes = 1000012 num.io.threads = 8 offsets.commit.required.acks = -1 log.flush.offset.checkpoint.interval.ms = 60000 delete.topic.enable = false quota.window.size.seconds = 1 ssl.truststore.type = JKS offsets.commit.timeout.ms = 5000 quota.window.num = 11 zookeeper.connect = servername:2181 authorizer.class.name = num.replica.fetchers = 1 log.retention.ms = null log.roll.jitter.hours = 0 log.cleaner.enable = false offsets.load.buffer.size = 5242880 log.cleaner.delete.retention.ms = 86400000 ssl.client.auth = required controlled.shutdown.max.retries = 3 queued.max.requests = 500 offsets.topic.replication.factor = 3 log.cleaner.threads = 1 sasl.kerberos.service.name = null sasl.kerberos.ticket.renew.jitter = 0.05 socket.request.max.bytes = 104857600 ssl.trustmanager.algorithm = PKIX zookeeper.session.timeout.ms = 6000 log.retention.bytes = -1 sasl.kerberos.min.time.before.relogin = 60000 zookeeper.set.acl = false connections.max.idle.ms = 600000 offsets.retention.minutes = 1440 replica.fetch.backoff.ms = 1000 inter.broker.protocol.version = 0.9.0.X log.retention.hours = 168 num.partitions = 4 listeners = PLAINTEXT://servername:9092, SSL://servername:9093 ssl.provider = null ssl.enabled.protocols = [TLSv1.2, TLSv1.1, TLSv1] log.roll.ms = null log.flush.scheduler.interval.ms = 9223372036854775807 ssl.cipher.suites = null log.index.size.max.bytes = 10485760 ssl.keymanager.algorithm = SunX509 security.inter.broker.protocol = PLAINTEXT replica.fetch.max.bytes = 1048576 advertised.port = null log.cleaner.dedupe.buffer.size = 524288000 replica.high.watermark.checkpoint.interval.ms = 5000 log.cleaner.io.buffer.size = 524288 sasl.kerberos.ticket.renew.window.factor = 0.8 zookeeper.connection.timeout.ms = 6000 controlled.shutdown.retry.backoff.ms = 5000 log.roll.hours = 168 log.cleanup.policy = delete host.name = servername log.roll.jitter.ms = null max.connections.per.ip = 2147483647 offsets.topic.segment.bytes = 104857600 background.threads = 10 quota.consumer.default = 9223372036854775807 request.timeout.ms = 30000 log.index.interval.bytes = 4096 log.dir = /tmp/kafka-logs log.segment.bytes = 1073741824 log.cleaner.backoff.ms = 15000 offset.metadata.max.bytes = 4096 ssl.truststore.location = /pathto/certs/server.truststore.jks group.max.session.timeout.ms = 30000 ssl.keystore.password = [hidden] zookeeper.sync.time.ms = 2000 port = 9092 log.retention.minutes = null log.segment.delete.delay.ms = 60000 log.dirs = /pathto/logs/kafka controlled.shutdown.enable = true compression.type = producer max.connections.per.ip.overrides = sasl.kerberos.kinit.cmd = /usr/bin/kinit log.cleaner.io.max.bytes.per.second = 1.7976931348623157E308 auto.leader.rebalance.enable = true leader.imbalance.check.interval.seconds = 300 log.cleaner.min.cleanable.ratio = 0.5 replica.lag.time.max.ms = 10000 num.network.threads = 3 ssl.key.password = [hidden] reserved.broker.max.id = 1000 metrics.num.samples = 2 socket.send.buffer.bytes = 102400 ssl.protocol = TLS socket.receive.buffer.bytes = 102400 ssl.keystore.location = /pathto/certs/server.keystore.jks replica.fetch.min.bytes = 1 unclean.leader.election.enable = true group.min.session.timeout.ms = 6000 log.cleaner.io.buffer.load.factor = 0.9 offsets.retention.check.interval.ms = 600000 producer.purgatory.purge.interval.requests = 1000 So as you can see the listeners are supposedly setup as listeners = PLAINTEXT://servername:9092, SSL://servername:9093 in the logs which reflected what was setup in the server.properties. However further down the logs, it is only PLAINTEXT that is being registered .. [2016-02-01 11:27:49,712] INFO Registered broker 0 at path /brokers/ids/0 with addresses: PLAINTEXT -> EndPoint(servername,9092,PLAINTEXT) (kafka.utils.ZkUtils) not the port 9093 nor the SSL. I have done multiple permutations of this config including clearing the entire kafka and zookeeper data. Still no luck. I even forced the the SSL on port 9092 with the same issue. The resulting effect on this is that the producer and consumer is giving me errors like : lients.NetworkClient) [2016-02-01 10:58:41,001] WARN Error while fetching metadata with correlation id 57 : {test=LEADER_NOT_AVAILABLE} (org.apache.kafka.clients.NetworkClient) [2016-02-01 10:58:41,103] WARN Error while fetching metadata with correlation id 58 : {test=LEADER_NOT_AVAILABLE} (org.apache.kafka.clients.NetworkClient) [2016-02-01 10:58:41,205] WARN Error while fetching metadata with correlation id 59 : {test=LEADER_NOT_AVAILABLE} (org.apache.kafka.clients.NetworkClient) Any help is appreciated.
