Authentication error and SSL handshake issue #6933

ananthk01 · 2022-06-13T17:21:54Z

ananthk01
Jun 13, 2022

We are having issues with AdminClient, Producer and Consumer connecting to kafka using ssl/9093. This has been a recent development. For certificate handling, we do not do anything special. The strimzi kafka-cluster-ca-cert secret is loaded into the pods truststore and is maintained as part of the respective client configs.

Operator version: 0.27.1
Kafka version: 3.0
Spring boot version: 2.6.x

In the kafka artifact I see that the certificate contents is the same as the one loaded on to the pods. Following is pulled from Lens.

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"kafka.strimzi.io/v1beta2","kind":"Kafka","metadata":{"annotations":{},"name":"kafka","namespace":"kafka"},"spec":{"entityOperator":{"topicOperator":{},"userOperator":{}},"kafka":{"config":{"auto.create.topics.enable":false,"default.replication.factor":3,"log.message.format.version":"3.0","log.retention.hours":360,"message.max.bytes":5242880,"min.insync.replicas":2,"offsets.topic.replication.factor":3,"ssl.endpoint.identification.algorithm":"","transaction.state.log.min.isr":2,"transaction.state.log.replication.factor":3},"listeners":[{"name":"plain","port":9092,"tls":false,"type":"internal"},{"authentication":{"type":"tls"},"name":"tls","port":9093,"tls":true,"type":"internal"}],"metricsConfig":{"type":"jmxPrometheusExporter","valueFrom":{"configMapKeyRef":{"key":"kafka-metrics-config.yaml","name":"kafka-metrics"}}},"rack":{"topologyKey":"topology.kubernetes.io/zone"},"replicas":3,"resources":{"requests":{"cpu":"1.0","memory":"4Gi"}},"storage":{"type":"jbod","volumes":[{"deleteClaim":false,"id":0,"size":"120Gi","type":"persistent-claim"}]},"version":"3.0.0"},"kafkaExporter":{"groupRegex":".*","resources":{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"200m","memory":"64Mi"}},"topicRegex":".*"},"zookeeper":{"metricsConfig":{"type":"jmxPrometheusExporter","valueFrom":{"configMapKeyRef":{"key":"zookeeper-metrics-config.yaml","name":"kafka-metrics"}}},"replicas":3,"resources":{"requests":{"cpu":0.2,"memory":"512M"}},"storage":{"deleteClaim":false,"size":"100Gi","type":"persistent-claim"}}}}
  creationTimestamp: '2022-05-19T19:39:41Z'
  generation: 24
  managedFields:
    - apiVersion: kafka.strimzi.io/v1beta2
      fieldsType: FieldsV1
      fieldsV1:
        f:spec:
          f:kafka:
            f:storage:
              f:volumes: {}
          f:zookeeper:
            f:resources:
              f:requests:
                f:cpu: {}
        f:status:
          f:clusterId: {}
          f:conditions: {}
          f:listeners: {}
          f:observedGeneration: {}
      manager: okhttp
      operation: Update
      time: '2022-06-09T12:13:35Z'
    - apiVersion: kafka.strimzi.io/v1beta2
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:kubectl.kubernetes.io/last-applied-configuration: {}
        f:spec:
          .: {}
          f:entityOperator:
            .: {}
            f:topicOperator: {}
            f:userOperator: {}
          f:kafka:
            .: {}
            f:config:
              .: {}
              f:auto.create.topics.enable: {}
              f:default.replication.factor: {}
              f:log.message.format.version: {}
              f:log.retention.hours: {}
              f:message.max.bytes: {}
              f:min.insync.replicas: {}
              f:offsets.topic.replication.factor: {}
              f:ssl.endpoint.identification.algorithm: {}
              f:transaction.state.log.min.isr: {}
              f:transaction.state.log.replication.factor: {}
            f:listeners: {}
            f:metricsConfig:
              .: {}
              f:type: {}
              f:valueFrom:
                .: {}
                f:configMapKeyRef:
                  .: {}
                  f:key: {}
                  f:name: {}
            f:rack:
              .: {}
              f:topologyKey: {}
            f:replicas: {}
            f:resources:
              .: {}
              f:requests:
                .: {}
                f:cpu: {}
                f:memory: {}
            f:storage:
              .: {}
              f:type: {}
            f:version: {}
          f:kafkaExporter:
            .: {}
            f:resources:
              .: {}
              f:limits:
                .: {}
                f:cpu: {}
                f:memory: {}
              f:requests:
                .: {}
                f:cpu: {}
                f:memory: {}
          f:zookeeper:
            .: {}
            f:metricsConfig:
              .: {}
              f:type: {}
              f:valueFrom:
                .: {}
                f:configMapKeyRef:
                  .: {}
                  f:key: {}
                  f:name: {}
            f:replicas: {}
            f:resources:
              .: {}
              f:requests:
                .: {}
                f:memory: {}
            f:storage:
              .: {}
              f:size: {}
              f:type: {}
      manager: kubectl-client-side-apply
      operation: Update
      time: '2022-06-13T15:58:04Z'
  name: kafka
  namespace: kafka
  resourceVersion: '1036285532'
  uid: a7d9d1ad-af1a-4a01-a990-e4bff249377a
  selfLink: /apis/kafka.strimzi.io/v1beta2/namespaces/kafka/kafkas/kafka
status:
  clusterId: JqYGrPWQSw-9LMsxIfuzSw
  conditions:
    - lastTransitionTime: '2022-06-13T16:02:11.418Z'
      status: 'True'
      type: Ready
  listeners:
    - addresses:
        - host: kafka-kafka-bootstrap.kafka.svc
          port: 9092
      bootstrapServers: kafka-kafka-bootstrap.kafka.svc:9092
      type: plain
    - addresses:
        - host: kafka-kafka-bootstrap.kafka.svc
          port: 9093
      bootstrapServers: kafka-kafka-bootstrap.kafka.svc:9093
      certificates:
        - |
          -----BEGIN CERTIFICATE-----
          <CERT_CONTENTS_REMOVED>
          -----END CERTIFICATE-----
      type: tls
  observedGeneration: 24
spec:
  entityOperator:
    topicOperator: {}
    userOperator: {}
  kafka:
    config:
      auto.create.topics.enable: false
      default.replication.factor: 3
      log.message.format.version: '3.0'
      log.retention.hours: 360
      message.max.bytes: 5242880
      min.insync.replicas: 2
      offsets.topic.replication.factor: 3
      ssl.endpoint.identification.algorithm: ''
      transaction.state.log.min.isr: 2
      transaction.state.log.replication.factor: 3
    listeners:
      - name: plain
        port: 9092
        tls: false
        type: internal
      - authentication:
          type: tls
        name: tls
        port: 9093
        tls: true
        type: internal
    metricsConfig:
      type: jmxPrometheusExporter
      valueFrom:
        configMapKeyRef:
          key: kafka-metrics-config.yaml
          name: kafka-metrics
    rack:
      topologyKey: topology.kubernetes.io/zone
    replicas: 3
    resources:
      requests:
        cpu: '1.0'
        memory: 4Gi
    storage:
      type: jbod
      volumes:
        - deleteClaim: false
          id: 0
          size: 120Gi
          type: persistent-claim
    version: 3.0.0
  kafkaExporter:
    groupRegex: .*
    resources:
      limits:
        cpu: 500m
        memory: 128Mi
      requests:
        cpu: 200m
        memory: 64Mi
    topicRegex: .*
  zookeeper:
    metricsConfig:
      type: jmxPrometheusExporter
      valueFrom:
        configMapKeyRef:
          key: zookeeper-metrics-config.yaml
          name: kafka-metrics
    replicas: 3
    resources:
      requests:
        cpu: 0.2
        memory: 512M
    storage:
      deleteClaim: false
      size: 100Gi
      type: persistent-claim

Actual kafka.yaml.

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: kafka
  namespace: kafka
spec:
  kafka:
    version: 3.0.0
    replicas: 3
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls
    config:
      offsets.topic.replication.factor: 3
      transaction.state.log.replication.factor: 3
      transaction.state.log.min.isr: 2
      log.message.format.version: "3.0"
      message.max.bytes: 5242880
      log.retention.hours: 360
      default.replication.factor: 3
      min.insync.replicas: 2
      auto.create.topics.enable: false
      ssl.endpoint.identification.algorithm: ""
    resources:
      requests:
        cpu: "1.0"
        memory: 4Gi
    rack:
      topologyKey: topology.kubernetes.io/zone
    storage:
      type: jbod
      volumes:
      - id: 0
        type: persistent-claim
        size: 120Gi
        deleteClaim: false       
    metricsConfig:
      type: jmxPrometheusExporter
      valueFrom:
        configMapKeyRef:
          name: kafka-metrics
          key: kafka-metrics-config.yaml
  zookeeper:
    replicas: 3
    resources:
      requests:
        cpu: 0.2
        memory: 512M
    storage:
      type: persistent-claim
      size: 100Gi
      deleteClaim: false
    metricsConfig:
      type: jmxPrometheusExporter
      valueFrom:
        configMapKeyRef:
          name: kafka-metrics
          key: zookeeper-metrics-config.yaml
  kafkaExporter:
    topicRegex: ".*"
    groupRegex: ".*"
    resources:
      requests:
        cpu: 200m
        memory: 64Mi
      limits:
        cpu: 500m
        memory: 128Mi
  entityOperator:
    topicOperator: {}
    userOperator: {}

The listeners sections was configured in the following 2 ways,

- name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls

Broker:

STRIMZI_BROKER_ID=1
Preparing truststore for replication listener
Adding /opt/kafka/cluster-ca-certs/ca.crt to truststore /tmp/kafka/cluster.truststore.p12 with alias ca
Certificate was added to keystore
Preparing truststore for replication listener is complete
Looking for the right CA
Found the right CA: /opt/kafka/cluster-ca-certs/ca.crt
Preparing keystore for replication and clienttls listener
Preparing keystore for replication and clienttls listener is complete
Preparing truststore for client authentication
Adding /opt/kafka/client-ca-certs/ca.crt to truststore /tmp/kafka/clients.truststore.p12 with alias ca
Certificate was added to keystore
Preparing truststore for client authentication is complete
Starting Kafka with configuration:
##############################
##############################
# This file is automatically generated by the Strimzi Cluster Operator
# Any changes to this file will be ignored and overwritten!
##############################
##############################

##########
# Broker ID
##########
broker.id=1

##########
# Rack ID
##########
broker.rack=us-west-2c

##########
# Zookeeper
##########
zookeeper.connect=kafka-zookeeper-client:2181
zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
zookeeper.ssl.client.enable=true
zookeeper.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12
zookeeper.ssl.keystore.password=[hidden]
zookeeper.ssl.keystore.type=PKCS12
zookeeper.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12
zookeeper.ssl.truststore.password=[hidden]
zookeeper.ssl.truststore.type=PKCS12

##########
# Kafka message logs configuration
##########
log.dirs=/var/lib/kafka/data-0/kafka-log1

##########
# Control Plane listener
##########
listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12
listener.name.controlplane-9090.ssl.keystore.password=[hidden]
listener.name.controlplane-9090.ssl.keystore.type=PKCS12
listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12
listener.name.controlplane-9090.ssl.truststore.password=[hidden]
listener.name.controlplane-9090.ssl.truststore.type=PKCS12
listener.name.controlplane-9090.ssl.client.auth=required

##########
# Replication listener
##########
listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12
listener.name.replication-9091.ssl.keystore.password=[hidden]
listener.name.replication-9091.ssl.keystore.type=PKCS12
listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12
listener.name.replication-9091.ssl.truststore.password=[hidden]
listener.name.replication-9091.ssl.truststore.type=PKCS12
listener.name.replication-9091.ssl.client.auth=required

##########
# Listener configuration: PLAIN-9092
##########

##########
# Listener configuration: TLS-9093
##########
listener.name.tls-9093.ssl.client.auth=required
listener.name.tls-9093.ssl.truststore.location=/tmp/kafka/clients.truststore.p12
listener.name.tls-9093.ssl.truststore.password=[hidden]
listener.name.tls-9093.ssl.truststore.type=PKCS12

listener.name.tls-9093.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12
listener.name.tls-9093.ssl.keystore.password=[hidden]
listener.name.tls-9093.ssl.keystore.type=PKCS12


##########
# Common listener configuration
##########
listeners=CONTROLPLANE-9090://0.0.0.0:9090,REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092,TLS-9093://0.0.0.0:9093
advertised.listeners=CONTROLPLANE-9090://kafka-kafka-1.kafka-kafka-brokers.kafka.svc:9090,REPLICATION-9091://kafka-kafka-1.kafka-kafka-brokers.kafka.svc:9091,PLAIN-9092://kafka-kafka-1.kafka-kafka-brokers.kafka.svc:9092,TLS-9093://kafka-kafka-1.kafka-kafka-brokers.kafka.svc:9093
listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,PLAIN-9092:PLAINTEXT,TLS-9093:SSL
control.plane.listener.name=CONTROLPLANE-9090
inter.broker.listener.name=REPLICATION-9091
sasl.enabled.mechanisms=
ssl.secure.random.implementation=SHA1PRNG
ssl.endpoint.identification.algorithm=HTTPS

##########
# User provided configuration
##########
auto.create.topics.enable=false
default.replication.factor=3
log.message.format.version=3.0
log.retention.hours=360
message.max.bytes=5242880
min.insync.replicas=2
offsets.topic.replication.factor=3
transaction.state.log.min.isr=2
transaction.state.log.replication.factor=3
inter.broker.protocol.version=3.0
+ exec /usr/bin/tini -w -e 143 -- /opt/kafka/bin/kafka-server-start.sh /tmp/strimzi.properties

AdminClient config;

main  INFO  - [ r= t= u= ] - Updating certificate from operator...
main  INFO  - [ r= t= u= ] - trust store file does not exist.. will be created..
main  INFO  - [ r= t= u= ] - Certificate updated.
main  INFO  - [ r= t= u= ] - AdminClientConfig values:
	bootstrap.servers = [kafka-kafka-bootstrap.kafka.svc.cluster.local:9093]
	client.dns.lookup = default
	client.id =
	connections.max.idle.ms = 300000
	default.api.timeout.ms = 60000
	metadata.max.age.ms = 300000
	metric.reporters = []
	metrics.num.samples = 2
	metrics.recording.level = INFO
	metrics.sample.window.ms = 30000
	receive.buffer.bytes = 65536
	reconnect.backoff.max.ms = 1000
	reconnect.backoff.ms = 50
	request.timeout.ms = 30000
	retries = 2147483647
	retry.backoff.ms = 100
	sasl.client.callback.handler.class = null
	sasl.jaas.config = null
	sasl.kerberos.kinit.cmd = /usr/bin/kinit
	sasl.kerberos.min.time.before.relogin = 60000
	sasl.kerberos.service.name = null
	sasl.kerberos.ticket.renew.jitter = 0.05
	sasl.kerberos.ticket.renew.window.factor = 0.8
	sasl.login.callback.handler.class = null
	sasl.login.class = null
	sasl.login.refresh.buffer.seconds = 300
	sasl.login.refresh.min.period.seconds = 60
	sasl.login.refresh.window.factor = 0.8
	sasl.login.refresh.window.jitter = 0.05
	sasl.mechanism = GSSAPI
	security.protocol = ssl
	security.providers = null
	send.buffer.bytes = 131072
	ssl.cipher.suites = null
	ssl.enabled.protocols = [TLSv1.2]
	ssl.endpoint.identification.algorithm = https
	ssl.key.password = null
	ssl.keymanager.algorithm = SunX509
	ssl.keystore.location = null
	ssl.keystore.password = null
	ssl.keystore.type = JKS
	ssl.protocol = TLSv1.2
	ssl.provider = null
	ssl.secure.random.implementation = null
	ssl.trustmanager.algorithm = PKIX
	ssl.truststore.location = /tmp/event-monitoring-service/truststore.p12
	ssl.truststore.password = [hidden]
	ssl.truststore.type = PKCS12

main  WARN  - [ r= t= u= ] - The configuration 'ssl.truststore.location' was supplied but isn't a known config.
main  WARN  - [ r= t= u= ] - The configuration 'ssl.truststore.password' was supplied but isn't a known config.
main  WARN  - [ r= t= u= ] - The configuration 'ssl.truststore.type' was supplied but isn't a known config.
main  INFO  - [ r= t= u= ] - Kafka version: 2.5.0

Error:

kafka-admin-client-thread | adminclient-1  INFO  - [ r= t= u= ] - [AdminClient clientId=adminclient-1] Failed authentication with kafka-kafka-bootstrap.kafka.svc.cluster.local/10.100.154.142 (SSL handshake failed)
kafka-admin-client-thread | adminclient-1 ERROR  - [ r= t= u= ] - [AdminClient clientId=adminclient-1] Connection to node -1 (kafka-kafka-bootstrap.kafka.svc.cluster.local/10.100.154.142:9093) failed authentication due to: SSL handshake failed
kafka-admin-client-thread | adminclient-1  WARN  - [ r= t= u= ] - [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLProtocolException: Unexpected handshake message: server_hello
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:339)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:295)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:286)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:437)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
	at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:425)
	at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:509)
	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:363)
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:286)
	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:174)
	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547)
	at org.apache.kafka.common.network.Selector.poll(Selector.java:485)
	at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:549)
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1272)
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1203)
	at java.base/java.lang.Thread.run(Thread.java:829)

- name: tls
        port: 9093
        type: internal
        tls: true

Broker properties:

STRIMZI_BROKER_ID=0
Preparing truststore for replication listener
Adding /opt/kafka/cluster-ca-certs/ca.crt to truststore /tmp/kafka/cluster.truststore.p12 with alias ca
Certificate was added to keystore
Preparing truststore for replication listener is complete
Looking for the right CA
Found the right CA: /opt/kafka/cluster-ca-certs/ca.crt
Preparing keystore for replication and clienttls listener
Preparing keystore for replication and clienttls listener is complete
Preparing truststore for client authentication
Adding /opt/kafka/client-ca-certs/ca.crt to truststore /tmp/kafka/clients.truststore.p12 with alias ca
Certificate was added to keystore
Preparing truststore for client authentication is complete
Starting Kafka with configuration:
##############################
##############################
# This file is automatically generated by the Strimzi Cluster Operator
# Any changes to this file will be ignored and overwritten!
##############################
##############################

##########
# Broker ID
##########
broker.id=0

##########
# Rack ID
##########
broker.rack=us-west-2b

##########
# Zookeeper
##########
zookeeper.connect=kafka-zookeeper-client:2181
zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
zookeeper.ssl.client.enable=true
zookeeper.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12
zookeeper.ssl.keystore.password=[hidden]
zookeeper.ssl.keystore.type=PKCS12
zookeeper.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12
zookeeper.ssl.truststore.password=[hidden]
zookeeper.ssl.truststore.type=PKCS12

##########
# Kafka message logs configuration
##########
log.dirs=/var/lib/kafka/data-0/kafka-log0

##########
# Control Plane listener
##########
listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12
listener.name.controlplane-9090.ssl.keystore.password=[hidden]
listener.name.controlplane-9090.ssl.keystore.type=PKCS12
listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12
listener.name.controlplane-9090.ssl.truststore.password=[hidden]
listener.name.controlplane-9090.ssl.truststore.type=PKCS12
listener.name.controlplane-9090.ssl.client.auth=required

##########
# Replication listener
##########
listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12
listener.name.replication-9091.ssl.keystore.password=[hidden]
listener.name.replication-9091.ssl.keystore.type=PKCS12
listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12
listener.name.replication-9091.ssl.truststore.password=[hidden]
listener.name.replication-9091.ssl.truststore.type=PKCS12
listener.name.replication-9091.ssl.client.auth=required

##########
# Listener configuration: PLAIN-9092
##########

##########
# Listener configuration: TLS-9093
##########
listener.name.tls-9093.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12
listener.name.tls-9093.ssl.keystore.password=[hidden]
listener.name.tls-9093.ssl.keystore.type=PKCS12


##########
# Common listener configuration
##########
listeners=CONTROLPLANE-9090://0.0.0.0:9090,REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092,TLS-9093://0.0.0.0:9093
advertised.listeners=CONTROLPLANE-9090://kafka-kafka-0.kafka-kafka-brokers.kafka.svc:9090,REPLICATION-9091://kafka-kafka-0.kafka-kafka-brokers.kafka.svc:9091,PLAIN-9092://kafka-kafka-0.kafka-kafka-brokers.kafka.svc:9092,TLS-9093://kafka-kafka-0.kafka-kafka-brokers.kafka.svc:9093
listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,PLAIN-9092:PLAINTEXT,TLS-9093:SSL
control.plane.listener.name=CONTROLPLANE-9090
inter.broker.listener.name=REPLICATION-9091
sasl.enabled.mechanisms=
ssl.secure.random.implementation=SHA1PRNG
ssl.endpoint.identification.algorithm=HTTPS

##########
# User provided configuration
##########
auto.create.topics.enable=false
default.replication.factor=3
log.message.format.version=3.0
log.retention.hours=360
message.max.bytes=5242880
min.insync.replicas=2
offsets.topic.replication.factor=3
transaction.state.log.min.isr=2
transaction.state.log.replication.factor=3
inter.broker.protocol.version=3.0
+ exec /usr/bin/tini -w -e 143 -- /opt/kafka/bin/kafka-server-start.sh /tmp/strimzi.properties

AdminClient:

main  INFO  - [ r= t= u= ] - Updating certificate from operator...
main  INFO  - [ r= t= u= ] - trust store file does not exist.. will be created..
main  INFO  - [ r= t= u= ] - Certificate updated.
main  INFO  - [ r= t= u= ] - AdminClientConfig values:
	bootstrap.servers = [kafka-kafka-bootstrap.kafka.svc.cluster.local:9093]
	client.dns.lookup = default
	client.id =
	connections.max.idle.ms = 300000
	default.api.timeout.ms = 60000
	metadata.max.age.ms = 300000
	metric.reporters = []
	metrics.num.samples = 2
	metrics.recording.level = INFO
	metrics.sample.window.ms = 30000
	receive.buffer.bytes = 65536
	reconnect.backoff.max.ms = 1000
	reconnect.backoff.ms = 50
	request.timeout.ms = 30000
	retries = 2147483647
	retry.backoff.ms = 100
	sasl.client.callback.handler.class = null
	sasl.jaas.config = null
	sasl.kerberos.kinit.cmd = /usr/bin/kinit
	sasl.kerberos.min.time.before.relogin = 60000
	sasl.kerberos.service.name = null
	sasl.kerberos.ticket.renew.jitter = 0.05
	sasl.kerberos.ticket.renew.window.factor = 0.8
	sasl.login.callback.handler.class = null
	sasl.login.class = null
	sasl.login.refresh.buffer.seconds = 300
	sasl.login.refresh.min.period.seconds = 60
	sasl.login.refresh.window.factor = 0.8
	sasl.login.refresh.window.jitter = 0.05
	sasl.mechanism = GSSAPI
	security.protocol = ssl
	security.providers = null
	send.buffer.bytes = 131072
	ssl.cipher.suites = null
	ssl.enabled.protocols = [TLSv1.2]
	ssl.endpoint.identification.algorithm = https
	ssl.key.password = null
	ssl.keymanager.algorithm = SunX509
	ssl.keystore.location = null
	ssl.keystore.password = null
	ssl.keystore.type = JKS
	ssl.protocol = TLSv1.2
	ssl.provider = null
	ssl.secure.random.implementation = null
	ssl.trustmanager.algorithm = PKIX
	ssl.truststore.location = /tmp/event-monitoring-service/truststore.p12
	ssl.truststore.password = [hidden]
	ssl.truststore.type = PKCS12

main  WARN  - [ r= t= u= ] - The configuration 'ssl.truststore.location' was supplied but isn't a known config.
main  WARN  - [ r= t= u= ] - The configuration 'ssl.truststore.password' was supplied but isn't a known config.
main  WARN  - [ r= t= u= ] - The configuration 'ssl.truststore.type' was supplied but isn't a known config.
main  INFO  - [ r= t= u= ] - Kafka version: 2.5.0

Error:

kafka-admin-client-thread | adminclient-1  WARN  - [ r= t= u= ] - [AdminClient clientId=adminclient-1] Connection to node 0 (kafka-kafka-0.kafka-kafka-brokers.kafka.svc/192.168.86.244:9093) terminated during authentication. This may happen due to any of the following reasons: (1) Authentication failed due to invalid credentials with brokers older than 1.0.0, (2) Firewall blocking Kafka TLS traffic (eg it may only allow HTTPS traffic), (3) Transient network issue.
kafka-admin-client-thread | adminclient-1  WARN  - [ r= t= u= ] - [AdminClient clientId=adminclient-1] Connection to node 2 (kafka-kafka-2.kafka-kafka-brokers.kafka.svc/192.168.60.247:9093) terminated during authentication. This may happen due to any of the following reasons: (1) Authentication failed due to invalid credentials with brokers older than 1.0.0, (2) Firewall blocking Kafka TLS traffic (eg it may only allow HTTPS traffic), (3) Transient network issue.

What was tried:

It was suggested to set one of the broker configs, ssl.endpoint.identification.algorithm as empty. This property is not accepted by the operator. Log seen below.

WARN  AbstractConfiguration:137 - Reconciliation #14823(watch) Kafka(kafka/kafka): Configuration option "ssl.endpoint.identification.algorithm" is forbidden and will be ignored

Kafka client version in use is 2.5 in this example. 3.0 was tried as well.

Creating a custom certificate with SAN maintained (bootstrap and brokers full name) seems to work but this is a workaround and doesn't take away from the fact that what seems to have worked before has broken.

Can you please advise on

whether certificate handling has changed? Do we need to have SAN maintained in a custom certificate for this to work?
config properties have to be maintained differently?

scholzj · 2022-06-13T17:57:02Z

scholzj
Jun 13, 2022
Maintainer

ssl.endpoint.identification.algorithm is a client property. You can set it in the Admin API configuration. But I do not see anything suggesting this is an issue.
In the first case, when you have
```
       authentication:
        type: tls
```
in the listener configuration, your Admin APi client does not have any keystore configuration. So you will need to create a user and configure the keystore if you want to have authentication.
The second error is not clear what the problem is. The error message normally suggests that one side communicates with TLS and other one doesn't.

7 replies

ananthk01 Jun 13, 2022
Author

I am aware of strimzi not supporting isto. I have had this setup with kafka running without istio and my pods running with istio container and the DR disabling Tls when pods are connecting to kafka. That was working. I am seeking for advise on how to make that connection again since something has broken along the way.

Outside of istio, do you see any issue with using the kafka-cluster-ca-cert in the pod truststore and applying that to the client properties that way it has been done?

scholzj Jun 13, 2022
Maintainer

Well, anything around the Cluster CA would normally show different errors.

ananthk01 Jun 14, 2022
Author

I see. Okay.

Does this offer any clues?

javax.net.ssl|ALL|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 21:01:28.445 GMT|SSLEngineImpl.java:752|Closing outbound of SSLEngine
javax.net.ssl|WARNING|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 21:01:28.447 GMT|SSLEngineOutputRecord.java:173|outbound has closed, ignore outbound application data
javax.net.ssl|INFO|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 21:01:28.485 GMT|AlpnExtension.java:178|No available application protocols
javax.net.ssl|DEBUG|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 21:01:28.485 GMT|SSLExtensions.java:260|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 21:01:28.485 GMT|SSLExtensions.java:260|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 21:01:28.486 GMT|ClientHello.java:642|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "E3 37 C7 E5 A8 42 B6 76 22 13 06 A4 DA 17 7E 6C 66 FA A8 54 D9 F5 F4 B8 31 D0 E4 DD 36 27 CB F9",
  "session id"          : "",
  "cipher suites"       : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "server_name (0)": {
      type=host_name (0), value=kafka-kafka-2.kafka-kafka-brokers.kafka.svc
    },
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.2]
    }
  ]
}
)
javax.net.ssl|ALL|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 21:01:28.508 GMT|SSLEngineImpl.java:752|Closing outbound of SSLEngine
javax.net.ssl|WARNING|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 21:01:28.509 GMT|SSLEngineOutputRecord.java:173|outbound has closed, ignore outbound application data
kafka-admin-client-thread | adminclient-1  WARN  - [ r= t= u= ] - [AdminClient clientId=adminclient-1] Connection to node 2 (kafka-kafka-2.kafka-kafka-brokers.kafka.svc/<IP>:9093) terminated during authentication. This may happen due to any of the following reasons: (1) Authentication failed due to invalid credentials with brokers older than 1.0.0, (2) Firewall blocking Kafka TLS traffic (eg it may only allow HTTPS traffic), (3) Transient network issue.
javax.net.ssl|INFO|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 21:01:28.545 GMT|AlpnExtension.java:178|No available application protocols
javax.net.ssl|DEBUG|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 21:01:28.545 GMT|SSLExtensions.java:260|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 21:01:28.545 GMT|SSLExtensions.java:260|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 21:01:28.546 GMT|ClientHello.java:642|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "31 42 1A E0 82 03 32 2D EC BF 33 D0 72 97 6D 97 AE 8A FC 79 40 83 ED 4B 08 B0 39 92 46 74 6C B2",
  "session id"          : "",
  "cipher suites"       : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "server_name (0)": {
      type=host_name (0), value=kafka-kafka-0.kafka-kafka-brokers.kafka.svc
    },
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.2]
    }
  ]
}
)
javax.net.ssl|ALL|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 21:01:28.560 GMT|SSLEngineImpl.java:752|Closing outbound of SSLEngine
javax.net.ssl|WARNING|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 21:01:28.590 GMT|SSLEngineOutputRecord.java:173|outbound has closed, ignore outbound application data

Earlier in the logs, I saw this happen.

javax.net.ssl|DEBUG|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 20:56:27.740 GMT|CertificateMessage.java:366|Consuming server Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "0A CF FD 15 FB B5 21 49 FC 47 18 7D 2A B1 A4 C3 E1 9B C6 BA",
    "signature algorithm": "SHA512withRSA",
    "issuer"             : "CN=cluster-ca v0, O=io.strimzi",
    "not before"         : "2022-05-19 19:41:09.000 GMT",
    "not  after"         : "2023-05-19 19:41:09.000 GMT",
    "subject"            : "CN=kafka-kafka, O=io.strimzi",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          DNSName: kafka-kafka-bootstrap.kafka.svc.cluster.local
          DNSName: kafka-kafka-0.kafka-kafka-brokers.kafka.svc
          DNSName: kafka-kafka-brokers
          DNSName: kafka-kafka-brokers.kafka
          DNSName: kafka-kafka-brokers.kafka.svc
          DNSName: kafka-kafka-0.kafka-kafka-brokers.kafka.svc.cluster.local
          DNSName: kafka-kafka-brokers.kafka.svc.cluster.local
          DNSName: kafka-kafka-bootstrap
          DNSName: kafka-kafka-bootstrap.kafka
          DNSName: kafka-kafka-bootstrap.kafka.svc
        ]
      }
    ]},
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "51 F4 74 A8 DF C3 31 B9 DC 43 53 C5 80 BF 3A 90 BB 2A B1 53",
    "signature algorithm": "SHA512withRSA",
    "issuer"             : "CN=cluster-ca v0, O=io.strimzi",
    "not before"         : "2022-05-19 19:39:41.000 GMT",
    "not  after"         : "2023-05-19 19:39:41.000 GMT",
    "subject"            : "CN=cluster-ca v0, O=io.strimzi",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:true
          PathLen:0
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          Key_CertSign
          Crl_Sign
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: 79 E7 09 A4 7E 26 7A AC   5F FF 01 B7 F1 79 56 0F  y....&z._....yV.
        0010: 7A 1F EB 9F                                        z...
        ]
        ]
      }
    ]}
]
)
javax.net.ssl|DEBUG|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 20:56:27.820 GMT|ECDHServerKeyExchange.java:524|Consuming ECDH ServerKeyExchange handshake message (
"ECDH ServerKeyExchange": {
  "parameters": {
    "named group": "x25519"
    "ecdh public": {
      0000: A9 8C FA 69 F9 09 30 30   F1 C4 1C 77 F6 00 DC E8  ...i..00...w....
      0010: A8 E6 38 48 3F 8C 31 DF   DE E2 C4 B6 09 72 7C 3F  ..8H?.1......r.?
    },
  },
  "digital signature":  {
    "signature algorithm": "rsa_pss_rsae_sha256"
    "signature": {
      0000: 12 E6 E8 C2 B9 76 38 8B   35 D2 E1 F6 13 49 04 2A  .....v8.5....I.*
      0010: 0D AF 19 F3 D1 1B C9 B1   A3 37 15 B0 84 CA 9B E8  .........7......
      0020: 23 05 6B 8F 89 6E 95 08   80 EC 66 4F 16 53 81 D3  #.k..n....fO.S..
      0030: 24 F4 80 34 D5 9C 0E AA   76 41 33 64 CB 8A 61 CA  $..4....vA3d..a.
      0040: 0E 46 1B CB 17 31 EC F6   D1 16 6D CD 3D 98 0B 8A  .F...1....m.=...
      0050: 43 DC 74 DD FC 3B 79 D3   D7 FE 10 76 5B 42 0D BF  C.t..;y....v[B..
      0060: 68 51 2C 5E 66 1C C9 0C   EA 7A C3 4E EE 42 6A 5B  hQ,^f....z.N.Bj[
      0070: 15 25 0A BA 51 35 C6 54   7E F2 EC E7 F4 A7 C5 CE  .%..Q5.T........
      0080: EB 46 4E 14 96 8A 06 8D   8B 43 B9 B2 AA D3 7F 75  .FN......C.....u
      0090: 96 0B C2 F4 D8 F4 28 B1   B6 4D 2C 5C 01 E5 77 B1  ......(..M,\..w.
      00A0: 42 59 DB EB 06 69 42 85   33 55 E4 D1 CE FF 89 89  BY...iB.3U......
      00B0: 39 0F 2D C6 0C 6D 84 9C   7D C7 56 73 F5 72 ED D0  9.-..m....Vs.r..
      00C0: 08 8D 89 AA D7 50 27 AD   E5 F8 C6 A2 BE F8 F4 14  .....P'.........
      00D0: 29 C2 B7 A7 C6 1F E8 80   6A E6 45 5F E6 62 63 F7  ).......j.E_.bc.
      00E0: DA 90 6A CA DC EE 98 27   5A BB 4F 91 C2 16 40 DC  ..j....'Z.O...@.
      00F0: 96 DF 31 14 4A E0 CA E6   18 21 3A 03 83 15 3A BC  ..1.J....!:...:.
    },
  }
}
)
javax.net.ssl|DEBUG|1A|kafka-admin-client-thread | adminclient-1|2022-06-14 20:56:27.821 GMT|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)

scholzj Jun 14, 2022
Maintainer

Not really to be honest. The second part suggests that it connected to the broker and got the right server certificate. But from the snippets it is hard to say if it completed. The first part still suggests the same issue. One of the obvious options is that your mesh is trying to proxy it as a HTTP(S) traffic -> that would cause error like this. But I do not know Istio enough to know how to avoid it and if it is related etc.

ananthk01 Jun 15, 2022
Author

Thank you for your time and input Jakub.

junaid-ali · 2022-08-08T23:06:03Z

junaid-ali
Aug 8, 2022

@ananthk01 have you tried creating a ca-bundle crt of all broker certs and adding that to truststore. For example:

KAFKA_CLUSTER_NAME=<your-kafka-cluster-name>
$ for i in {0..2}; do
   openssl x509 -in <(openssl s_client -connect ${KAFKA_CLUSTER_NAME}-kafka-${i}.${KAFKA_CLUSTER_NAME}-kafka-brokers.kafka.svc:9093 -prexit 2>/dev/null) >> ~/ca-bundle.crt;
done

$ echo "yes" | keytool -import -trustcacerts -file ~/ca-bundle.crt -keystore <your-truststore.jks> -alias ca-bundle

$ cat ~/client.properties
bootstrap.servers=xxxx:9093
security.protocol=SSL
ssl.truststore.location=/path/to/truststore.jks
ssl.truststore.password=pass
ssl.keystore.location=/path/to/user.p12
ssl.keystore.password=pass

$ /kafka-console-producer.sh --broker-list ${KAFKA_BOOTSTRAP_SVC}:9093 --topic ${TOPIC_NAME} --producer.config ~/client.properties

0 replies

srinivasev · 2022-10-19T08:11:40Z

srinivasev
Oct 19, 2022

Hi @ananthk01 ,
You said istio is not supported in Strimzi. I am trying currently to have a side car container for bridge. Facing an issue as below.
strimzi/strimzi-kafka-bridge#672

Can you please help me in understanding of Strimzi not supporting ISTIO ?. This will help me in deciding further actions.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Strimzi

Authentication error and SSL handshake issue #6933

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments 7 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Strimzi

Authentication error and SSL handshake issue #6933

Uh oh!

ananthk01 Jun 13, 2022

Replies: 3 comments · 7 replies

Uh oh!

scholzj Jun 13, 2022 Maintainer

Uh oh!

ananthk01 Jun 13, 2022 Author

Uh oh!

scholzj Jun 13, 2022 Maintainer

Uh oh!

ananthk01 Jun 14, 2022 Author

Uh oh!

scholzj Jun 14, 2022 Maintainer

Uh oh!

ananthk01 Jun 15, 2022 Author

Uh oh!

junaid-ali Aug 8, 2022

Uh oh!

srinivasev Oct 19, 2022

ananthk01
Jun 13, 2022

Replies: 3 comments 7 replies

scholzj
Jun 13, 2022
Maintainer

ananthk01 Jun 13, 2022
Author

scholzj Jun 13, 2022
Maintainer

ananthk01 Jun 14, 2022
Author

scholzj Jun 14, 2022
Maintainer

ananthk01 Jun 15, 2022
Author

junaid-ali
Aug 8, 2022

srinivasev
Oct 19, 2022