I'm wondering if I'm missing something about configuring SSL for Kraft.

We currently have a Zookeeper cluster where all inter-broker & client
communication uses SSL. We manage our own CA and generate all the necessary
keystore/truststore jks files for our brokers and clients. We've had this
in place for several years.

I've recently been trying to set up a Kraft-based cluster. And since a
Kraft controller is configured much the same as a Kafka broker is, I
figured I would try to have the Kraft controllers communicate to each other
over SSL, same as I have the brokers do.

When I enable SSL for the Kraft controller I get this error on startup,
"Invalid value javax.net.ssl.SSLHandshakeException: No available
authentication scheme for configuration A client SSLEngine created with the
provided settings can't connect to a server SSLEngine created with those
settings."

I am running everything in Docker containers, using Confluent's images.
Currently using version 7.7.0, though I saw the same errors on 7.7.1

Turning on SSL debugging didn't turn up anything obvious. And I'm pretty
stumped as to what's going on. Wondering if anyone here has thoughts.
Several attempts at this, along with a lot of research, haven't gotten me
anywhere.

My relevant Kraft controller config

KAFKA_CONTROLLER_LISTENER_NAMES: SSL
KAFKA_INTER_BROKER_LISTENER_NAME: SSL
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: "SSL:SSL"
KAFKA_LISTENERS: SSL://0.0.0.0:9094
KAFKA_METADATA_VERSION: "3.7"
KAFKA_PROCESS_ROLES: controller
KAFKA_SSL_CLIENT_AUTH: required
KAFKA_SSL_KEYSTORE_CREDENTIALS: credentials
KAFKA_SSL_KEYSTORE_FILENAME: keystore.jks
KAFKA_SSL_KEY_CREDENTIALS: credentials
KAFKA_SSL_SECRETS_DIR: /etc/kafka/secrets
KAFKA_SSL_TRUSTSTORE_CREDENTIALS: credentials
KAFKA_SSL_TRUSTSTORE_FILENAME: truststore.jks

——

Ian Whitney (he/him/his)
Data Engineer | ASR Data Engineering
Academic Support Resources | asr.umn.edu
Office of Undergraduate Education | University of Minnesota
whit0...@umn.edu | 612-547-8598

Reply via email to