[英]Error in Kafka running on openshift during SSL
我让 Kafka 在 openshift 上运行,并公开了访问 Kafka 代理的路由(TLS 直通)。 下面是代理的 server.properties。 请注意,openshift 服务是将消息端口转发到 9043。我在 Kafka 代理上有密钥库和证书,在客户端有 ca-cert。
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
listeners=INTERNAL://0.0.0.0:9092,EXTERNAL://0.0.0.0:9043
advertised.listeners=INTERNAL://localhost:9092,EXTERNAL:abc:9043
inter.broker.listener.name=INTERNAL
listener.security.protocol.map=INTERNAL:PLAINTEXT,EXTERNAL:SSL
ssl.client.auth=none
security.protocol=SSL
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.location =
ssl.keystore.password =
ssl.key.password =
ssl.truststore.location =
ssl.truststore.password =
ssl.endpoint.identification.algorithm=
我正在尝试使用本地的 Kafka 生产者访问路由,如下所示
kafka-console-producer.bat --broker-list abc:443 --producer-property security.protocol=SSL --producer-property ssl.truststore.password=*** --producer-property ssl.truststore.location=ca.crt --topic dummy
我在 Kafka pod 上遇到错误。
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, READ: TLSv1.2 Handshake, length = 347
check handshake state: client_hello[1]
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, fatal error: 10: Handshake message sequence violation, 1
javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 1
%% Invalidated: [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, WRITE: TLSv1.2 Alert, length = 2
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, called closeOutbound()
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, closeOutboundInternal()
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, called closeInbound()
data-plane-kafka-network-thread-0-ListenerName(EXTERNAL)-SSL-3, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
[2020-08-01 23:30:26,397] INFO [SocketServer brokerId=0] Failed authentication with /10.X.X.X (SSL handshake failed) (org.apache.kafka.common.network.Selector)
以下是生产者客户端的错误
)
javax.net.ssl|ERROR|0E|kafka-producer-network-thread | console-producer|2020-08-01 19:40:02.523 CDT|TransportContext.java:313|Fatal (CERTIFICATE_UNKNOWN): Extended key usage does not permit use for TLS server authentication (
"throwable" : {
sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS server authentication
关于可能是什么问题的任何想法。
经过一些研究,我们发现证书上的扩展密钥用法设置为客户端身份验证。 我们更新了相同的内容,添加了 SAN 并能够连接。
如何在openshift3中激活默认的ssl以在tomcat8上运行项目?
[英]how to active default ssl in openshift3 for running project on tomcat8?
Kafka 消费者在 SSL 上抛出“OutOfMemoryError:Java 堆空间”错误
[英]Kafka Consumer throwing "OutOfMemoryError: Java heap space" Error on SSL
使用 SASL_SSL / PLAIN 连接时出现 Kafka AdminClient 错误
[英]Kafka AdminClient error when connecting using SASL_SSL / PLAIN
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.