Re: Kafka error after SSL enabled - Bootstrap broker-name :6667 disconnected (org.apache.kafka.clients.NetworkClient)

karan alang Mon, 24 Jul 2017 15:57:07 -0700

further update -> i recreated the certificates & here is the result of the
verification


(i read in one post that the CN should match the FQDN, else it gives the
error, any ideas on how to debug this ?


openssl s_client -debug -connect nwk2-bdp-kafka-04.gdcs-qa.apple.com:6667 -tls1
CONNECTED(00000003)
write to 0x8bd830 [0x908c33] (155 bytes => 155 (0x9B))
0000 - 16 03 01 00 96 01 00 00-92 03 01 59 76 79 79 99 ...........Yvyy.
0010 - 65 b5 a8 26 4c 80 20 9f-cc 73 86 b7 e0 ff b6 93 e..&L. ..s......
0020 - e4 bf 05 b7 34 0c 39 01-c1 b5 f6 00 00 4c c0 14 ....4.9......L..
0030 - c0 0a 00 39 00 38 00 88-00 87 c0 0f c0 05 00 35 ...9.8.........5
0040 - 00 84 c0 13 c0 09 00 33-00 32 00 9a 00 99 00 45 .......3.2.....E
.....
......
0570 - 32 d9 53 62 8d 34 47 ab-10 39 0e 16 ee ef ca 02 2.Sb.4G..9......
0580 - c6 37 12 a7 da 60 69 d3-48 1c 2d 5e f1 9d 55 da .7...`i.H.-^..U.
0590 - cd 11 e8 eb 18 bc ca b8-82 72 98 e7 67 a8 9e 0e .........r..g...
05a0 - 5f 05 6d c0 ae 23 0f c5-8c cf 77 0e _.m..#....w.
05af - <SPACES/NULS>
depth=0 C = us, ST = ca, L = nwk, O = gdcs, OU = gdcs-qa, CN =
nwk2-bdp-kafka-04.gdcs-qa.apple.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = us, ST = ca, L = nwk, O = gdcs, OU = gdcs-qa, CN =
nwk2-bdp-kafka-04.gdcs-qa.apple.com
verify return:1
write to 0x8bd830 [0x90e100] (143 bytes => 143 (0x8F))
0000 - 16 03 01 00 8a 10 00 00-86 85 04 00 c2 51 e7 95 .............Q..
0010 - 9a f9 56 c3 78 c7 1a 92-ba 0e 5a e7 17 48 81 d9 ..V.x.....Z..H..
0020 - 25 6a ce 4a 83 2c 31 d1-5a e4 ee d8 b7 db 9e 64 %j.J.,1.Z......d
0030 - 79 e5 e9 c0 58 a4 40 2b-5c 33 69 d7 2b 5f f5 f9 y...X.@+\3i.+_..
0040 - dc 96 2a e7 d6 7c be b9-bd ae 91 11 b3 01 69 0d ..*..|........i.
0050 - f8 45 01 81 44 13 98 d8-10 27 b8 d0 ee c9 50 51 .E..D....'....PQ
0060 - 85 b3 ab 23 46 d7 c1 65-77 d4 57 d0 25 79 4c 48 ...#F..ew.W.%yLH
0070 - c5 03 1d b9 45 43 c8 e2-d4 6b ce 7c 7b 5f 8e a0 ....EC...k.|{_..
0080 - f7 cf 82 ec c2 66 a4 10-79 28 03 7f 74 6e b2.....f..y(..tn.
write to 0x8bd830 [0x90e100] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
write to 0x8bd830 [0x90e100] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 c2 b9 f5-bc 0f fb ce 98 f4 a1 fb ....0...........
0010 - 11 e3 70 b5 5c 14 27 88-72 e0 96 b4 95 cf 86 f5 ..p.\.'.r.......
0020 - 8e 88 91 ff f8 58 b1 a2-cc c5 62 17 a6 c2 22 9a .....X....b...".
0030 - 9a 90 80 7d 04...}.
read from 0x8bd830 [0x9046e3] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01.....
read from 0x8bd830 [0x9046e8] (1 bytes => 1 (0x1))
0000 - 01.
read from 0x8bd830 [0x9046e3] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30....0
read from 0x8bd830 [0x9046e8] (48 bytes => 48 (0x30))
0000 - ff bc bf 23 4d fa 4b 8d-cb fc 28 10 c0 c4 57 c8 ...#M.K...(...W.
0010 - 53 14 f7 77 65 71 e5 60-44 a9 27 7b 69 11 fc a9 S..weq.`D.'{i...
0020 - 10 52 f9 06 d3 d9 00 07-e8 5a f0 35 79 23 18 9b .R.......Z.5y#..
---
Certificate chain
0 s:/C=us/ST=ca/L=nwk/O=gdcs/OU=gdcs-qa/CN=nwk2-bdp-kafka-04.gdcs-qa.apple.com
i:/C=us/ST=ca/L=nwk/O=gdcs/OU=gdcs-qa/CN=nwk2-bdp-kafka-04.gdcs-qa.apple.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDvTCCAqWgAwIBAgIEbFXDGDANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJ1
czELMAkGA1UECBMCY2ExDDAKBgNVBAcTA253azENMAsGA1UEChMEZ2RjczEQMA4G
A1UECxMHZ2Rjcy1xYTEsMCoGA1UEAxMjbndrMi1iZHAta2Fma2EtMDQuZ2Rjcy1x
YS5hcHBsZS5jb20wHhcNMTcwNzI0MjIzNTE2WhcNMTgwNzE5MjIzNTE2WjB3MQsw
CQYDVQQGEwJ1czELMAkGA1UECBMCY2ExDDAKBgNVBAcTA253azENMAsGA1UEChME
Z2RjczEQMA4GA1UECxMHZ2Rjcy1xYTEsMCoGA1UEAxMjbndrMi1iZHAta2Fma2Et
MDQuZ2Rjcy1xYS5hcHBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDZxDGpPOh17dhxKnTwdDYLXXQL6Kkq4DLQ56x0DgJGGW2zwfeBhfNpOOnE
6P02NE8BLenSvMs/FqMHJ+ywtCGp/Yxth9QUeheVAr8qHPV7rvnN1p1OL7ezyzQY
d/pwu2KP5c/ROX3izfpMIVvF+04njw56ZMkmHECiTs6Cel3P9649TkTn62ssdlhC
HZT0TaYmoMgEW4Viv5XvEC8TCHTJT03O2zD2JM+P4rFa/JeSjeY7MBHzwMb7O/uV
dqNRQi9ziTfxSA9xCz72nZkLUhk0LGkecoVRaFiImWesQ3xJ/ys4DvAaHY2XeU3g
HMGIiQh0zSvq5xX3EIEa5hOBhgJ3AgMBAAGjUTBPMC4GA1UdEQQnMCWCI253azIt
YmRwLWthZmthLTA0LmdkY3MtcWEuYXBwbGUuY29tMB0GA1UdDgQWBBSc6pEu8gEu
/6xddU9riRIwPQwKBDANBgkqhkiG9w0BAQsFAAOCAQEAckfOcvs2SrdodvHo2DUE
LqkizsSE2T1RI0VNIejDSOZq4kjctj0skUPbu/EyUqt78ZObXQgf4uZHXLKnMp4o
Em2qs/XrQN+SiaFEE/o1ng5XvBBJJbFoAjmh5rNeX621vnx/pqWqNVs+bgwAsfM2
sGESAJqbukm4VgLXuDLBhkbdwhx2E8NT9GnqloJRFeAWjcwQGYsIuXKa7jU1eO4b
MAwWSxW1wk/w3cyZ50j4WgPNM4imFbHjq6B3cUjyU0vFwqbv7SEMTHsFV24X/7n5
+mIASEqRWfgATmTqsKFvmgsFvEZhi8FPoR0yRAZcz78WSijt0NWVFO5KDG1Y12Ok
OQ==
-----END CERTIFICATE-----
subject=/C=us/ST=ca/L=nwk/O=gdcs/OU=gdcs-qa/CN=nwk2-bdp-kafka-04.gdcs-qa.apple.com
issuer=/C=us/ST=ca/L=nwk/O=gdcs/OU=gdcs-qa/CN=nwk2-bdp-kafka-04.gdcs-qa.apple.com
---
No client certificate CA names sent
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 1519 bytes and written 357 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol: TLSv1
Cipher: ECDHE-RSA-AES256-SHA
Session-ID: 59767979D3C289D1EB584B04C9CB1DF4659C017296247CC84BB1F7D7842BA9B1
Session-ID-ctx:
Master-Key: 
795C06945CBD2BABC55A269FF46EAE6848E3834E5EAB54886E10DFD5289498901A5169AFE268872F4B0A3439DA20A378
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1500936569
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)


On Mon, Jul 24, 2017 at 2:08 PM, karan alang <karan.al...@gmail.com> wrote:

> Here is what i see the logs ..
> So, it seems the Kafka Broker is starting up with SSL, however - when the
> Controller is not able to connect to the Broker
>
> server.log
>
>>
>> [2017-07-24 20:57:19,461] INFO [ThrottledRequestReaper-Produce], Starting
>> (kafka.server.ClientQuotaManager$ThrottledRequestReaper)
>> [2017-07-24 20:57:19,464] INFO [ThrottledRequestReaper-Fetch], Starting
>> (kafka.server.ClientQuotaManager$ThrottledRequestReaper)
>> [2017-07-24 20:57:19,467] INFO Will not load MX4J, mx4j-tools.jar is not
>> in the classpath (kafka.utils.Mx4jLoader$)
>> [2017-07-24 20:57:19,474] INFO [Group Metadata Manager on Broker 1001]:
>> Removed 0 expired offsets in 7 milliseconds. (kafka.coordinator.
>> GroupMetadataManager)
>> [2017-07-24 20:57:19,498] INFO Creating /brokers/ids/1001 (is it secure?
>> false) (kafka.utils.ZKCheckedEphemeral)
>> [2017-07-24 20:57:19,508] INFO Result of znode creation is: OK
>> (kafka.utils.ZKCheckedEphemeral)
>> [2017-07-24 20:57:19,510] INFO Registered broker 1001 at path
>> /brokers/ids/1001 with addresses: PLAINTEXT -> EndPoint(
>> nwk2-bdp-kafka-04.gdcs-qa.apple.com,6668,PLAINTEXT),SSL -> EndPoint(
>> nwk2-bdp-kafka-04.gdcs-qa.apple.com,6667,SSL) (kafka.utils.ZkUtils)
>> [2017-07-24 20:57:19,526] INFO [Kafka Server 1001], started
>> (kafka.server.KafkaServer)
>
>
>
> controller.log
>
> [2017-07-24 20:59:56,323] WARN [Controller-1001-to-broker-1001-send-thread],
>> Controller 1001's connection to broker nwk2-bdp-kafka-04.gdcs-qa.
>> apple.com:6667 (id: 1001 rack: null) was unsuccessful (kafka.controller.
>> RequestSendThread)
>> java.io.IOException: Connection to nwk2-bdp-kafka-04.gdcs-qa.
>> apple.com:6667 (id: 1001 rack: null) failed
>> at kafka.utils.NetworkClientBlockingOps$$anonfun$blockingReady$
>> extension$2.apply(NetworkClientBlockingOps.scala:63)
>> at kafka.utils.NetworkClientBlockingOps$$anonfun$blockingReady$
>> extension$2.apply(NetworkClientBlockingOps.scala:59)
>> at kafka.utils.NetworkClientBlockingOps$.recursivePoll$1(
>> NetworkClientBlockingOps.scala:112)
>> at kafka.utils.NetworkClientBlockingOps$.kafka$utils$
>> NetworkClientBlockingOps$$pollUntil$extension(NetworkClientBlockingOps.
>> scala:120)
>> at kafka.utils.NetworkClientBlockingOps$.blockingReady$extension(
>> NetworkClientBlockingOps.scala:59)
>> at kafka.controller.RequestSendThread.brokerReady(
>> ControllerChannelManager.scala:233)
>> at kafka.controller.RequestSendThread.liftedTree1$
>> 1(ControllerChannelManager.scala:182)
>> at kafka.controller.RequestSendThread.doWork(ControllerChannelManager.
>> scala:181)
>> at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:63)
>
>
> On Mon, Jul 24, 2017 at 12:36 PM, karan alang <karan.al...@gmail.com>
> wrote:
>
>> Hello - i've enabled SSL for Kafka, and Kafka is starting up fine with
>> SSL enable.
>>
>> However, when i run the Kafka console producer, it is give me error as
>> shown below ->
>>
>>
>>
>>    1. Command :
>>    2.
>>    3. /usr/hdp/2.5.3.0-37/kafka/bin/kafka-console-producer.sh --broker-list
>>    nwk2-bdp-kafka-05.gdcs-qa.apple.com:6667,nwk2-bdp-kafka-04.gdcs-qa.
>>    apple.com:6667,nwk2-bdp-kafka-06.gdcs-qa.apple.com:6667 --topic
>>    sslTopic --producer.config /tmp/ssl-kafka/client-ssl.properties
>>    4.
>>    5. Message Typed on console :
>>    6.  hi
>>    7.
>>    8. On Typing message on the Console Producer, i get the following
>>    error :
>>    9.
>>    10. [2017-07-24 19:10:22,940] WARN Bootstrap broker nwk2-bdp-kafka-
>>    06.gdcs-qa.apple.com:6667 disconnected (org.apache.kafka.clients.Netw
>>    orkClient)
>>    11. [2017-07-24 19:10:23,106] WARN Bootstrap broker nwk2-bdp-kafka-
>>    05.gdcs-qa.apple.com:6667 disconnected (org.apache.kafka.clients.Netw
>>    orkClient)
>>
>>
>> Attached is the client-ssl.properties file, used to start the Console
>> produce
>>
>>
>

Re: Kafka error after SSL enabled - Bootstrap broker-name :6667 disconnected (org.apache.kafka.clients.NetworkClient)

Reply via email to