使用提供的设置创建的客户端SSLEngine无法连接到使用这些设置创建的服务器SSLEngine

1tuwyuhd  于 2023-04-12  发布在  其他
关注(0)|答案(1)|浏览(168)

我尝试在两个不同的主机中使用这个docker compose文件在docker中启动Kafka:

version: "2"
services:
  zookeeper:
    image: confluentinc/cp-zookeeper:5.5.7
    restart: unless-stopped
    container_name: zookeeper
    ports:
        - "2181:2181"
    environment: 
        ZOOKEEPER_TICK_TIME: 2000
        ZOOKEEPER_CLIENT_PORT: 2181
  kafka:
    image: confluentinc/cp-kafka:5.5.7
    restart: unless-stopped
    container_name: kafka
    depends_on:
        - zookeeper
    ports:
        - "9092:9092"
    environment:
        KAFKA_BROKER_ID: 1
        KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
        KAFKA_LISTENERS: SSL://:9092
        KAFKA_ADVERTISED_LISTENERS: SSL://:9092
        KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
        KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1
        KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1
        KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
        KAFKA_AUTO_CREATE_TOPICS_ENABLE: false
        KAFKA_DELETE_TOPIC_ENABLE: true
        KAFKA_SSL_KEYSTORE_FILENAME: broker.keystore.jks
        KAFKA_SSL_KEYSTORE_CREDENTIALS: pass
        KAFKA_SSL_KEY_CREDENTIALS: pass
        KAFKA_SSL_TRUSTSTORE_FILENAME: broker.truststore.jks
        KAFKA_SSL_TRUSTSTORE_CREDENTIALS: pass
        KAFKA_SSL_CLIENT_AUTH: requested
        KAFKA_SECURITY_PROTOCOL: SSL
        KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: " "
        KAFKA_SECURITY_INTER_BROKER_PROTOCOL: SSL
    volumes:
        - ./secrets:/etc/kafka/secrets

在一个主机上一切正常,但在另一个主机上我会出错

"Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.KafkaException: org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: General SSLEngine problem for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings."

我使用不同的证书.唯一的区别,正如我所看到的,它是不同的签名算法-在主机上,所有的好它的SHA-512与RSA,而我有一个错误,它的SHA-384与ECDSA和不同的密钥大小- 2048位vs 4096.但正如我在谷歌中发现,Kafka将与他们两个一起工作。我没有可能改变证书-我需要找到解决方案与此证书。
导致此错误的原因是什么?

0sgqnhkj

0sgqnhkj1#

我找到了解决方案。问题是在我使用的证书中-它不包含在密钥使用字段“客户端身份验证”中。当我尝试运行最新版本的Kafka时发现了它,这个版本给了我关于密钥使用字段的错误。

相关问题