请问kafka ssl 的Failed to load SSL keystore /usr/local/kafka2.3/server.keystore.jks of type JKS是为什么呀

ln 发表于: 2019-08-12   最后更新时间: 2019-08-12  

提问说明

kafka2.11配置ssl,出现报错

ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /usr/local/kafka/server.keystore.jks of type JKS

我的config/server.properties配置如下

listeners=PLAINTEXT://192.168.8.132:9092,SSL://192.168.8.132:9093

ssl.client.auth=required

ssl.keystore.location=/usr/local/kafka/server.keystore.jks
ssl.keystore.password=luonan
ssl.key.password=luonan
ssl.truststore.location=/usr/local/kafka/server.truststore.jks
ssl.truststore.password=luonan

ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.type = JKS
ssl.truststore.type = JKS

security.inter.broker.protocol = SSL

[root@localhost kafka2.3]# ll /usr/local/kafka/server.keystore.jks
-rw-r--r--. 1 root root 3199 Aug 12 00:14 /usr/local/kafka/server.keystore.jks

这些文件也是存在的,请问是什么原因呢



您需要解锁本帖隐藏内容请: 点击这里
本帖隐藏的内容





发表于: 11天前   最后更新时间: 11天前   游览量:115
上一条: 请问 我们公司的kafka集群有两个,其中一个kafka只能写数据进去却读不了,两个kafka的配置都是一样的,关键是不报错,好像是创建不了消费者,求答案 谢谢
下一条: 怎么查看kafka之前有没有进行过安全配置啊

  • 先看看有没有权限,上面只是说失败的加载。
    另外可参考:https://www.orchome.com/500

    • 我这个不是配置Kerberos,是配置ssl。我把/usr/local/kafka/server.keystore.jks都设置成777了。也是不行啊 -rwxrwxrwx. 1 root root 3199 Aug 12 00:14 server.keystore.jks -rwxrwxrwx. 1 root root 984 Aug 12 00:11 server.truststore.jks -rwxrwxrwx. 1 root root 984 Aug 12 00:12 client.truststore.jks 还是报这个错误,Failed to load SSL keystore /usr/local/kafka/server.keystore.jks of type JKS 请问这个错误之前大神你有遇到过吗
        • 请问大神在执行密钥生成的最后一步时报这个错误 [root@localhost kafka]# keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed Enter keystore password: keytool error: java.lang.Exception: Reply has no certificates 这个意思是已经签名的证书没有吗?是不是这个错误导致了“Failed to load SSL keystore”,如果是,请问这个问题怎么解决 加密限制已经替换,替换成 jce_policy-8 也已经导入jdk [root@localhost UnlimitedJCEPolicyJDK8]# ls /usr/local/jdk/jre/lib/security/ blacklist blacklisted.certs cacerts java.policy java.security javaws.policy local_policy.jar policy README.txt trusted.libraries US_export_policy.jar
            • ``` [root@localhost kafka]# openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:test1234 Signature ok subject=/C=ln/ST=ln/L=ln/O=ln/OU=ln/CN=ln Getting CA Private Key unable to load CA Private Key 140107397314464:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:604: 140107397314464:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:104: 140107397314464:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130: 140107397314464:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132: ``` 在签名证书的时候又这个报错,但是我见到“Signature ok”就没在意之后的错误,请问是不是这个错误导致
                • 问题已经解决!是因为在openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:test1234 的pass里我不是采用 test1234 来进行 keytool -keystore server.keystore.jks -alias localhost -validity 365 -keyalg RSA -genkey server.keystore.jks的生成 这两个采用的是一样的密码才可以,多谢大神
                    • 但是又有一个新问题 ``` [root@localhost bin]# ./kafka-console-producer.sh --broker-list 192.168.8.132:9093 --topic test --producer.config client-ssl.properties >l [2019-08-12 20:20:25,651] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:25,727] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:25,897] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:26,116] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:26,614] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:27,408] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:28,582] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:29,713] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:30,787] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) [2019-08-12 20:20:31,667] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient) ^Corg.apache.kafka.common.KafkaException: Producer closed while send in progress at org.apache.kafka.clients.producer.KafkaProducer.doSend(KafkaProducer.java:862) at org.apache.kafka.clients.producer.KafkaProducer.send(KafkaProducer.java:839) at kafka.tools.ConsoleProducer$.send(ConsoleProducer.scala:75) at kafka.tools.ConsoleProducer$.main(ConsoleProducer.scala:57) at kafka.tools.ConsoleProducer.main(ConsoleProducer.scala) Caused by: org.apache.kafka.common.KafkaException: Requested metadata update after close at org.apache.kafka.clients.Metadata.awaitUpdate(Metadata.java:200) at org.apache.kafka.clients.producer.KafkaProducer.waitOnMetadata(KafkaProducer.java:982) at org.apache.kafka.clients.producer.KafkaProducer.doSend(KafkaProducer.java:859) ``` 我的client-ssl.properties 是这样写的 ``` security.protocol=SSL ssl.truststore.location=/usr/local/kafka/client.truststore.jks ssl.truststore.password=123456 ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1 ssl.truststore.type = JKS ssl.keystore.type = JKS [root@localhost bin]# ll /usr/local/kafka/client.truststore.jks -rw-r--r--. 1 root root 984 Aug 12 19:40 /usr/local/kafka/client.truststore.jks ``` 这个client.truststore.jks也存在 请问为什么呢
                        • ``` [root@localhost bin]# ./kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test1 --consumer.config client-ssl.properties [2019-08-13 00:29:40,547] ERROR [Consumer clientId=consumer-1, groupId=console-consumer-43513] Connection to node -1 (localhost/127.0.0.1:9093) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient) [2019-08-13 00:29:40,549] ERROR Error processing message, terminating consumer process: (kafka.tools.ConsoleConsumer$) org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197) at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165) at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) at org.apache.kafka.common.network.SslTransportLayer.handshakeWrap(SslTransportLayer.java:447) at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:312) at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265) at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:129) at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:532) at org.apache.kafka.common.network.Selector.poll(Selector.java:467) at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:535) at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:265) at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:236) at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:215) at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:231) at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:316) at org.apache.kafka.clients.consumer.KafkaConsumer.updateAssignmentMetadataIfNeeded(KafkaConsumer.java:1214) at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1179) at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1164) at kafka.tools.ConsoleConsumer$ConsumerWrapper.receive(ConsoleConsumer.scala:436) at kafka.tools.ConsoleConsumer$.process(ConsoleConsumer.scala:104) at kafka.tools.ConsoleConsumer$.run(ConsoleConsumer.scala:76) at kafka.tools.ConsoleConsumer$.main(ConsoleConsumer.scala:54) at kafka.tools.ConsoleConsumer.main(ConsoleConsumer.scala) Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:401) at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:483) at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:339) ... 18 more Caused by: java.security.cert.CertificateException: No name matching localhost found at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231) at sun.security.util.HostnameChecker.match(HostnameChecker.java:96) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626) ``` 请问No name matching localhost found 是为什么