kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pere Urbón Bayes <pere.ur...@gmail.com>
Subject Re: kafka security using ssl
Date Thu, 22 Aug 2019 12:50:52 GMT
can you share your certificate content somehow? i should ask, is it
properly signed with the ca? can you share as well the current error.

-- Pere

On Thu, 22 Aug 2019, 14:47 Antony A <antonyaugustus@gmail.com> wrote:

> Yes. The truststore has the CA. The keystore has the CA, PRIVATE KEY used
> to create the CSR and the SERVER CERT.
>
> Sent from my iPhone
>
> > On Aug 22, 2019, at 6:44 AM, Pere Urbón Bayes <pere.urbon@gmail.com>
> wrote:
> >
> > you should verify a proper chain of validation. is your private ca cert
> in
> > your trust store?
> >
> >> On Thu, 22 Aug 2019, 14:40 Antony A <antonyaugustus@gmail.com> wrote:
> >>
> >> Hi,
> >>
> >> I was able to get the broker running if I used a CA created as shown in
> >> the example below. https://kafka.apache.org/documentation/#security_ssl
> >>
> >> The issue I am facing is when I used my internal CA. Not sure what I am
> >> missing when I am creating the certificate.
> >>
> >> Thanks.
> >>
> >> Sent from my iPhone
> >>
> >>> On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes <pere.urbon@gmail.com>
> >> wrote:
> >>>
> >>> Hi,
> >>>  the error looks like a missing configuration value. A good source of
> >>> examples how to set up security can be found at
> >>> https://github.com/purbon/kafka-security-playbook or
> >>> https://docs.confluent.io/current/kafka/authentication_ssl.html.
> >>>
> >>> i would verify them and see if you're using the same configuration and
> >>> properly setup certificate stores.
> >>>
> >>> I hope it helps,
> >>>
> >>> -- Pere
> >>>
> >>>> On Thu, 22 Aug 2019, 05:49 Antony A <antonyaugustus@gmail.com>
wrote:
> >>>>
> >>>> Hi,
> >>>>
> >>>> I have followed the steps to secure the brokers using SSL. I have
> signed
> >>>> the server certificate using internal CA. I have the keystore with
> >> server
> >>>> certificate, private key and the CA. Also the truststore has only the
> >> CA.
> >>>>
> >>>> Unfortunately I am unable to start the broker with the following
> server
> >>>> properties
> >>>>
> >>>> isteners=SSL://:9092
> >>>> security.inter.broker.protocol=SSL
> >>>> ssl.client.auth=required
> >>>>
> >>>> ssl.truststore.location=/tmp/kafka.server.truststore.jks
> >>>> ssl.truststore.password=password
> >>>> ssl.keystore.location=/tmp/kafka.server.keystore.jks
> >>>> ssl.keystore.password=password
> >>>> ssl.key.password=password
> >>>>
> >>>> # ACLs
> >>>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> >>>> super.users=User:kafkabroker
> >>>>
> >>>>
> >>>> Here is the error in the logs
> >>>>
> >>>> org.apache.kafka.common.KafkaException:
> >>>> org.apache.kafka.common.config.ConfigException: Invalid value
> >>>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem for
> >>>> configuration A client SSLEngine created with the provided settings
> >> can't
> >>>> connect to a server SSLEngine created with those settings.
> >>>>
> >>>> Any pointers on what to do?
> >>>>
> >>>> Thanks,
> >>>> Antony
> >>>>
> >>>> PS: Kafka Version 2.3
> >>>>
> >>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message