kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Scholz <ja...@scholz.cz>
Subject Re: Kafka SSL error
Date Wed, 20 Sep 2017 07:33:07 GMT
Hi,

Looking at your commands it looks as if you generated a self signed key for
server, self signed key for client and then imported the CA keys public
keys into the truststores. I don’t think this will work because now you
have two different self signed keys in the keystores and the presumably the
CA public key in your truststores.

Does the cert.pem actualy contain the private key? In case it doesn’t
contain the private key you need to get the private key first. If yes, you
have to convert it into the keystore format using this guide:
https://docs.oracle.com/cd/E35976_01/server.740/es_admin/src/tadm_ssl_convert_pem_to_jks.html
You basically have to first use OpenSSL to create PKCS12 key and that can
be converted into keystore.

BTW: If you run your application with system property “javax.net.debug” set
to “ssl” it will generate a lot of useful debug information which will help
to understand what is going on and fix this.

Jakub

On Tue, 19 Sep 2017 at 23:44, karan alang <karan.alang@gmail.com> wrote:

> Hello All -
> I was able to set up SSL for the Kafka brokers, using OpenSSL.
>
> however, I'm having issues with setting up SSL using the pem file (i.e. SSL
> certificate - certified by CA, provided by the company)
>
> Here is what i've done -
> created the server/client keystore & truststore files and imported the
> provided cert.pem file
>
> keytool -keystore kafka.server.keystore.jks -alias localhost -validity 365
> -genkey
> keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file
> cert.pem
> keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file
> cert.pem
> keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file
> cert.pem
> keytool -keystore kafka.client.keystore.jks -alias localhost -validity 365
> -genkey
> keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file
> cert.pem
>
> I've a console producer pushing data in to the topic, and gives error as
> shown below ->
>
>
> Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence
> > violation, state = 1, type = 1
> > at
> >
> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:213)
> > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
> > at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)
> > at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)
> > at java.security.AccessController.doPrivileged(Native Method)
> > at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)
> > at
> >
> org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:336)
> > at
> >
> org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:417)
> > ... 7 more
>
>
>
> Any ideas on what the issue might be ?
> thanks for help in advance!
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message