Strimzi
ssl handshake error on 9093 port number in strimzi kafka #4752
Replies: 1 comment 16 replies
-
|
It is quite hard to read the Kafka custom resource without proper formatting as I do not know the indentation, structure etc. So hard to say if it is correct or not or how does it look like. |
Beta Was this translation helpful? Give feedback.
-
|
sorry sir, i didn't create create those certificates which i got from senior employee and also i am a fresher. But i can provide some information why the handshake issue is coming. Please have a look below
please let me know what are these issues |
Beta Was this translation helpful? Give feedback.
-
|
Sorry, you would really need to share the full log as a text file. It someone else created the certificate then your truststore would not match the server one. The client cannot have any certificates. It needs to have the right certiicate. the truststore in your client needs to match the server cert in the broker. And the keystore in your client needs to match the Clistens CA in the broker. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
You have it either badly configured or the log is still not complete. Normally on the beginning it should log the content of the keystore and truststore. If it doesn't, it is probably somehow badly configured. |
Beta Was this translation helpful? Give feedback.
-
|
But as I said before. It looks like your keystore is not signed by the Clients CA. Did you use the KafkaUser custom resource to create it as I mentioned before? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
kafka.yaml
Source: kafka/templates/kafka-persistent.yaml
apiVersion: kafka.strimzi.io/v1beta1
kind: Kafka
metadata:
name: kafka
namespace: default
labels:
helm.sh/chart: kafka-1.0
app.kubernetes.io/name: kafka
app.kubernetes.io/instance: kafka
app.kubernetes.io/version: "1.0"
app.kubernetes.io/managed-by: Helm
spec:
kafka:
version: 2.6.0
replicas: 3
template:
pod:
securityContext:
runAsUser: 0
listeners:
- name: plain
port: 9092
type: internal
tls: false
- name: tls
port: 9093
type: internal
tls: true
authentication:
type: tls
configuration:
brokerCertChainAndKey:
secretName: kafka-secret
certificate: my_key_store_1615469373.crt
key: my_store_1615469373.key
#~ certificate: my_key_store.crt
#~ key: my_store.key
- name: external
type: nodeport
tls: false
port: 9094
configuration:
brokers:
- broker: 0
advertisedHost: 192.168.105.19
advertisedPort: 32000
- broker: 1
advertisedHost: 192.168.105.19
advertisedPort: 32001
- broker: 2
advertisedHost: 192.168.105.19
advertisedPort: 32002
- name: externalssl
port: 9095
type: nodeport
tls: true
authentication:
type: tls
configuration:
brokerCertChainAndKey:
secretName: kafka-secret
certificate: my_key_store_1615469373.crt
key: my_store_1615469373.key
#~ certificate: my_key_store.crt
#~ key: my_store.key
brokers:
- broker: 0
advertisedHost: 192.168.105.19
advertisedPort: 32100
- broker: 1
advertisedHost: 192.168.105.19
advertisedPort: 32101
- broker: 2
advertisedHost: 192.168.105.19
advertisedPort: 32102
#~ external:
#~ type: nodeport
#~ tls: false
#~ overrides:
#~ brokers:
#~ - broker: 0
#~ advertisedHost: 192.168.105.19
#~ advertisedPort: 32000
#~ - broker: 1
#~ advertisedHost: 192.168.105.19
#~ advertisedPort: 32001
#~ - broker: 2
#~ advertisedHost: 192.168.105.19
#~ advertisedPort: 32002
#~ plain:
#~ name: plain
#~ port: 9092
#~ type: internal
#~ tls: false
#~ tls:
#~ name: tls
#~ port: 9093
#~ type: internal
#~ tls: true
#~ authentication:
#~ type: tls
#~ configuration:
#~ brokerCertChainAndKey:
#~ secretName: kafka-secret
#~ certificate: my_key_store_1615469373.crt
#~ key: my_store_1615469373.key
config:
offsets.topic.replication.factor: 1
transaction.state.log.replication.factor: 1
transaction.state.log.min.isr: 1
log.message.format.version: "2.6"
default.replication.factor: 3
default.log.retention.ms: 2.88e+07
num.partitions: 6
#~ ssl.cipher.suites: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
ssl.enabled.protocols: "TLSv1.2"
ssl.protocol: "TLSv1.2"
ssl.endpoint.identification.algorithm: ""
ssl.key.password: "kafka123"
client.user: "user"
client.password: "kafka123"
inter.broker.listener.name: "PLAIN-9092"
storage:
type: ephemeral
zookeeper:
replicas: 3
template:
pod:
securityContext:
runAsUser: 0
storage:
type: ephemeral
#~ config:
#~ ssl.cipher.suites: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
#~ ssl.enabled.protocols: "TLSv1.2"
#~ ssl.protocol: "TLSv1.2"
#~ ssl.endpoint.identification.algorithm: ""
entityOperator:
topicOperator: {}
userOperator: {}
clietn-ssl.properties
security.protocol=SSL
ssl.truststore.type=PKCS12
ssl.truststore.location=/tmp/kafka/kafka.truststore.jks
ssl.truststore.password=kafka123
ssl.enabled.protocols=TLSv1.2
ssl.endpoint.identification.algorithm=
i am getting error
can you help me for this issue
Beta Was this translation helpful? Give feedback.
All reactions