如何haldle org.apache.Kafka.common.errors.SslAuthenticationException:SSL握手失败

cuxqih21  于 12个月前  发布在  Apache
关注(0)|答案(1)|浏览(143)

bounty将在2天后过期。回答此问题可获得+100声望奖励。Petr Kostroun正在寻找规范答案

我有一个Kafka客户端,配置如下:

spring:
  cloud:
    config:
      enabled: false
    stream:
      kafka:
        binder:
          brokers: localhost:9092
          zkNodes: localhost:2181
          configuration:
            security:
              protocol: SASL_SSL
            sasl:
              mechanism: SCRAM-SHA-256
              kerberos:
                 service:
                    name: "kafka"
              jaas:
                config: org.apache.kafka.common.security.scram.ScramLoginModule required username="user" password="sepultura1";
              
      bindings:
        kafkaDemoTopic:
          destination: kafka_demo_topic

字符串
当我试图运行应用程序,它失败了这个异常:

org.springframework.cloud.stream.provisioning.ProvisioningException: Provisioning exception encountered for kafka_demo_topic
    at org.springframework.cloud.stream.binder.kafka.provisioning.KafkaTopicProvisioner.createTopic(KafkaTopicProvisioner.java:377) ~[spring-cloud-stream-binder-kafka-core-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binder.kafka.provisioning.KafkaTopicProvisioner.provisionProducerDestination(KafkaTopicProvisioner.java:197) ~[spring-cloud-stream-binder-kafka-core-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binder.kafka.provisioning.KafkaTopicProvisioner.provisionProducerDestination(KafkaTopicProvisioner.java:96) ~[spring-cloud-stream-binder-kafka-core-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binder.AbstractMessageChannelBinder.doBindProducer(AbstractMessageChannelBinder.java:297) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binder.AbstractMessageChannelBinder.doBindProducer(AbstractMessageChannelBinder.java:102) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binder.AbstractBinder.bindProducer(AbstractBinder.java:153) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binding.BindingService.doBindProducer(BindingService.java:353) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binding.BindingService.bindProducer(BindingService.java:294) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.function.StreamBridge.resolveDestination(StreamBridge.java:272) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.function.StreamBridge.send(StreamBridge.java:168) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.function.StreamBridge.send(StreamBridge.java:147) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.function.StreamBridge.send(StreamBridge.java:142) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.heller.kafka.demo.producer.KafkaProducer.scheduleFixedRateTask(KafkaProducer.java:32) ~[classes/:na]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[na:na]
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
    at java.base/java.lang.reflect.Method.invoke(Method.java:568) ~[na:na]
    at org.springframework.scheduling.support.ScheduledMethodRunnable.runInternal(ScheduledMethodRunnable.java:130) ~[spring-context-6.1.1.jar:6.1.1]
    at org.springframework.scheduling.support.ScheduledMethodRunnable.lambda$run$2(ScheduledMethodRunnable.java:124) ~[spring-context-6.1.1.jar:6.1.1]
    at io.micrometer.observation.Observation.observe(Observation.java:499) ~[micrometer-observation-1.12.0.jar:1.12.0]
    at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:124) ~[spring-context-6.1.1.jar:6.1.1]
    at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54) ~[spring-context-6.1.1.jar:6.1.1]
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) ~[na:na]
    at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) ~[na:na]
    at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) ~[na:na]
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[na:na]
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[na:na]
    at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]
Caused by: java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
    at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:396) ~[na:na]
    at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2096) ~[na:na]
    at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:180) ~[kafka-clients-3.6.0.jar:na]
    at org.springframework.cloud.stream.binder.kafka.provisioning.KafkaTopicProvisioner.createTopicAndPartitions(KafkaTopicProvisioner.java:413) ~[spring-cloud-stream-binder-kafka-core-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binder.kafka.provisioning.KafkaTopicProvisioner.createTopicIfNecessary(KafkaTopicProvisioner.java:387) ~[spring-cloud-stream-binder-kafka-core-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binder.kafka.provisioning.KafkaTopicProvisioner.createTopic(KafkaTopicProvisioner.java:364) ~[spring-cloud-stream-binder-kafka-core-4.1.0.jar:4.1.0]
    ... 27 common frames omitted
Caused by: org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:na]
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378) ~[na:na]
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[na:na]
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316) ~[na:na]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357) ~[na:na]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) ~[na:na]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[na:na]
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[na:na]
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[na:na]
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277) ~[na:na]
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264) ~[na:na]
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) ~[na:na]
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209) ~[na:na]
    at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:435) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:523) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:373) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:293) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.common.network.Selector.poll(Selector.java:481) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:571) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1381) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1312) ~[kafka-clients-3.6.0.jar:na]
    at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[na:na]
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[na:na]
    at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[na:na]
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285) ~[na:na]
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[na:na]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) ~[na:na]
    ... 19 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) ~[na:na]
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:127) ~[na:na]
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[na:na]
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[na:na]
    ... 24 common frames omitted


我已经将证书导入到了cacquisition key store中。有人给予我一点如何处理这个异常吗?似乎cacquisition store中的证书无效。我在google上找不到如何处理它。谢谢
我运行以下命令来生成+自签名证书:

openssl req -new -x509 -days 365 -keyout ca.key -out ca.crt -subj "/C=PL/L=Warsaw/CN=localhost" -passout pass:sepultura1

keytool -genkey -keystore server.keystore -alias localhost -dname CN=localhost -keyalg RSA -validity 365 -ext san=dns:localhost -storepass sepultura1

 keytool -certreq -keystore server.keystore -alias localhost -file server.unsigned.crt -storepass sepultura1

openssl x509 -req -CA ca.crt -CAkey ca.key -in server.unsigned.crt -out server.crt -days 365 -CAcreateserial -passin pass:sepultura1

keytool -import -file ca.crt -keystore server.keystore -alias ca -storepass sepultura1 -noprompt

keytool -import -file server.crt -keystore server.keystore -alias localhost -storepass sepultura1 -noprompt

keytool -import -file ca.crt -keystore client.truststore -alias ca -storepass sepultura1 -noprompt

keytool -import -file server.crt -keystore client.truststore -alias localhost -storepass sepultura1 -noprompt

keytool -import -file server.crt -keystore C:\apps\jdk17\lib\security\cacerts -alias localhost -storepass changeit -noprompt

keytool -import -file ca.crt -keystore C:\apps\jdk17\lib\security\cacerts -alias ca -storepass changeit -noprompt


但仍然会得到这个异常:

org.springframework.cloud.stream.provisioning.ProvisioningException: Provisioning exception encountered for kafka_demo_topic
    at org.springframework.cloud.stream.binder.kafka.provisioning.KafkaTopicProvisioner.createTopic(KafkaTopicProvisioner.java:377) ~[spring-cloud-stream-binder-kafka-core-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binder.kafka.provisioning.KafkaTopicProvisioner.provisionProducerDestination(KafkaTopicProvisioner.java:197) ~[spring-cloud-stream-binder-kafka-core-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binder.kafka.provisioning.KafkaTopicProvisioner.provisionProducerDestination(KafkaTopicProvisioner.java:96) ~[spring-cloud-stream-binder-kafka-core-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binder.AbstractMessageChannelBinder.doBindProducer(AbstractMessageChannelBinder.java:297) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binder.AbstractMessageChannelBinder.doBindProducer(AbstractMessageChannelBinder.java:102) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binder.AbstractBinder.bindProducer(AbstractBinder.java:153) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binding.BindingService.doBindProducer(BindingService.java:353) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binding.BindingService.bindProducer(BindingService.java:294) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.function.StreamBridge.resolveDestination(StreamBridge.java:272) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.function.StreamBridge.send(StreamBridge.java:168) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.function.StreamBridge.send(StreamBridge.java:147) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.function.StreamBridge.send(StreamBridge.java:142) ~[spring-cloud-stream-4.1.0.jar:4.1.0]
    at org.heller.kafka.demo.producer.KafkaProducer.scheduleFixedRateTask(KafkaProducer.java:32) ~[classes/:na]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[na:na]
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
    at java.base/java.lang.reflect.Method.invoke(Method.java:568) ~[na:na]
    at org.springframework.scheduling.support.ScheduledMethodRunnable.runInternal(ScheduledMethodRunnable.java:130) ~[spring-context-6.1.1.jar:6.1.1]
    at org.springframework.scheduling.support.ScheduledMethodRunnable.lambda$run$2(ScheduledMethodRunnable.java:124) ~[spring-context-6.1.1.jar:6.1.1]
    at io.micrometer.observation.Observation.observe(Observation.java:499) ~[micrometer-observation-1.12.0.jar:1.12.0]
    at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:124) ~[spring-context-6.1.1.jar:6.1.1]
    at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54) ~[spring-context-6.1.1.jar:6.1.1]
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) ~[na:na]
    at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) ~[na:na]
    at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) ~[na:na]
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[na:na]
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[na:na]
    at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]
Caused by: java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
    at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:396) ~[na:na]
    at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2096) ~[na:na]
    at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:180) ~[kafka-clients-3.6.0.jar:na]
    at org.springframework.cloud.stream.binder.kafka.provisioning.KafkaTopicProvisioner.createTopicAndPartitions(KafkaTopicProvisioner.java:413) ~[spring-cloud-stream-binder-kafka-core-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binder.kafka.provisioning.KafkaTopicProvisioner.createTopicIfNecessary(KafkaTopicProvisioner.java:387) ~[spring-cloud-stream-binder-kafka-core-4.1.0.jar:4.1.0]
    at org.springframework.cloud.stream.binder.kafka.provisioning.KafkaTopicProvisioner.createTopic(KafkaTopicProvisioner.java:364) ~[spring-cloud-stream-binder-kafka-core-4.1.0.jar:4.1.0]
    ... 27 common frames omitted
Caused by: org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:na]
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378) ~[na:na]
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[na:na]
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316) ~[na:na]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357) ~[na:na]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) ~[na:na]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[na:na]
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[na:na]
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[na:na]
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277) ~[na:na]
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264) ~[na:na]
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) ~[na:na]
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209) ~[na:na]
    at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:435) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:523) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:373) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:293) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.common.network.Selector.poll(Selector.java:481) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:571) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1381) ~[kafka-clients-3.6.0.jar:na]
    at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1312) ~[kafka-clients-3.6.0.jar:na]
    at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[na:na]
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[na:na]
    at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[na:na]
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285) ~[na:na]
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[na:na]
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) ~[na:na]
    ... 19 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) ~[na:na]
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:127) ~[na:na]
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[na:na]
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[na:na]
    ... 24 common frames omitted

7gcisfzg

7gcisfzg1#

我已将证书导入到cacrypt密钥存储中。
因此,我将假定Java Java Runtime Environment(JRE)的默认信任库,通常位于<JAVA_HOME>/lib/security/cacerts
通过“证书”,我还将假设受信任的CA的证书-证书颁发机构-验证Kafka代理使用的证书。因为如果这些证书不是CA,那只能意味着您的代理使用自签名证书。
如果您使用的是默认的Java cacetkeystore,并且它位于其标准位置(<JAVA_HOME>/lib/security/cacerts),则通常不需要使用Kafka Binder PropertiescertificateStoreDirectory属性。Kafka Binder应该使用默认的信任库。
首先检查您的Sping Boot 项目是否尚未在Kafka客户端中包含SSL配置。
它可能会覆盖默认的cacerts(您导入证书、CA或自签名的位置)。
在Sping Boot 项目中,查找application.ymlapplication.properties。该文件通常位于src/main/resources目录中。如果您有特定于环境的配置文件,它们可能会被命名为application-dev.ymlapplication-prod.yml等。根据您使用的是YAML(application.yml)还是properties format(application.properties),配置会略有不同。
对于application.yml,Kafka SSL配置如下所示:

spring:
   kafka:
      producer:
      bootstrap-servers: localhost:9092
      key-serializer: org.apache.kafka.common.serialization.StringSerializer
      value-serializer: org.apache.kafka.common.serialization.StringSerializer
      ssl:
         truststore:
            location: /path/to/your/truststore.jks
            password: truststorepassword
            alias: my-kafka-broker

字符串
对于application.properties,它将是:

spring.kafka.producer.bootstrap-servers=localhost:9092
spring.kafka.producer.key-serializer=org.apache.kafka.common.serialization.StringSerializer
spring.kafka.producer.value-serializer=org.apache.kafka.common.serialization.StringSerializer
spring.kafka.producer.ssl.truststore.location=/path/to/your/truststore.jks
spring.kafka.producer.ssl.truststore.password=truststorepassword
spring.kafka.producer.ssl.truststore.alias=my-kafka-broker
# or
spring.cloud.stream.kafka.binder.certificateStoreDirectory=/path/to/your/truststore.jks


但如果您的配置中没有任何SSL设置,则可以检查cacerts密钥库:
keytool -list -v -keystore <JAVA_HOME>/lib/security/cacerts -storepass changeit
查找与您的Kafka broker的身份匹配的别名或主题。主题通常包含CN(公共名称),可能是broker的主机名。
第一步是检查您的cacerts是否包含用于签署代理证书的CA证书。
检查Kafka经纪人使用的证书,包括:

# Save the certificate
echo -n | openssl s_client -connect kafka-broker-host:kafka-broker-port -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > kafka-broker-cert.pem

# Check if the certificate is self-signed
openssl verify -CAfile kafka-broker-cert.pem kafka-broker-cert.pem


如果证书是自签名的,openssl verify将返回类似kafka-broker-cert.pem: OK的结果。
这意味着证书本身应该导入到cacerts信任库中。

相关问题