Hi,
I've set up broker ssl successfully. Here is the detail.
*[broker]*
1. run shell script (generate ssl key, certificate and CA and sign the
certificate)
2. here is server.properties on brokers.
listeners=PLAINTEXT://:9092,SSL://:9093
ssl.keystore.location=/opt/kafka/keys/server.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/opt/kafka/keys/server.truststore.jks
ssl.truststore.password=test1234
ssl.client.auth=required
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
After that I've checked server.log and it has below info.
with addresses: PLAINTEXT -> EndPoint(192.168.64.1,9092,PLAINTEXT),SSL
-> EndPoint(192.168.64.1,9093,SSL)
And I also run below command and can see the proper server's certificate.
openssl s_client -debug -connect localhost:9093 -tls1
But When I run mirror maker process on the other mirror maker machine,
I got error.
*[Mirror Maker]*
1. I've run the same shell script which I've run for broker. (generate
ssl key, certificate and CA and sign the certificate)
2. Here is my mirror maker consumer configuration.
bootstrap.servers=brokerhost:9093
group.id=kafkaMirror
security.protocol=SSL
ssl.truststore.location=/opt/kafka/keys/client.truststore.jks
ssl.truststore.password=test1234
ssl.enabled.protocols=TLSv1
ssl.keystore.location=/opt/kafka/keys/client.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
After that I tried below command. Below 3 command got same error.
bin/kafka-mirror-maker.sh --new.consumer --consumer.config
config/ssl_consumer.properties --producer.config config/producer.properties
--num.streams 10 --whitelist=test
bin/kafka-console-producer.sh --broker-list brokerhost:9093 --topic test
--producer.config config/ssl_client.properties
bin/kafka-console-consumer.sh --bootstrap-server brokerhost:9093 --topic
test --new-consumer --consumer.config config/ssl_client.properties
DEBUG Connection with {broker host}/{ip} disconnected
(org.apache.kafka.common.network.Selector)
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
at
sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at
sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at
org.apache.kafka.common.network.SslTransportLayer.handshakeWrap(SslTransportLayer.java:377)
at
org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:242)
at
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:68)
at org.apache.kafka.common.network.Selector.poll(Selector.java:281)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:270)
at
org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:216)
at
org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:128)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
at
org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:335)
at
org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:413)
at
org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:269)
... 6 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1465)
... 15 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
t sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
How can I fix this error?
Thanks.
