在单个节点上使用SSL与Kafka

Question

I want to have SSL running with Kafka to make it more secure. I downloaded Kafka and installed it. I followed the instruction on creating certificates and truststore for SSL with no problem. I added the following into my config/server.properties

ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.type=JKS
ssl.truststore.type=JKS

listeners=PLAINTEXT://localhost:9092,SSL://localhost:9093
ssl.endpoint.identification.algorithm=HTTPS
security.inter.broker.protocol=SSL
ssl.secure.random.implementation=SHA1PRNG
ssl.endpoint.identification.algorithm=HTTPS
ssl.keystore.location=/home/ec2-user/workspace/kafka/cert/server.keystore.jks
ssl.key.password=<the password>
ssl.keystore.password=<the password>
ssl.truststore.location=/home/ec2-user/workspace/kafk/cert/server.truststore.jks
ssl.truststore.password=<the password>

After Starting Zookeeper, I am getting this error when I start kafak: [2017-12-07 16:02:52,155] ERROR [Controller id=0, targetBrokerId=0] Connection to node 0 failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient). I have to kill the task to stop this message

looking at logs/controller.log :

[Controller-0-to-broker-0-send-thread]: Controller 0's connection to broker localhost:9093 (id: 0 rack: null) was unsuccessful (kafka.controller.RequestSendThread)

Do you have to open the firewall on port 9093?

Thank you

Answer 1

Handshake failed usually means that they were able to talk to each other but unable to agree.

You should try without the ssl.endpoint.identification.algorithm=HTTPS line in the config. Quite often a hostname mismatch in the certificate check is the cause for stuff like this..