请问kafka ssl 的Failed to load SSL keystore /usr/local/kafka2.3/server.keystore.jks of type JKS是为什么呀

ln 发表于: 2019-08-12   最后更新时间: 2019-08-12  

提问说明

kafka2.11配置ssl,出现报错

ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /usr/local/kafka/server.keystore.jks of type JKS

我的config/server.properties配置如下

listeners=PLAINTEXT://192.168.8.132:9092,SSL://192.168.8.132:9093

ssl.client.auth=required

ssl.keystore.location=/usr/local/kafka/server.keystore.jks
ssl.keystore.password=luonan
ssl.key.password=luonan
ssl.truststore.location=/usr/local/kafka/server.truststore.jks
ssl.truststore.password=luonan

ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.type = JKS
ssl.truststore.type = JKS

security.inter.broker.protocol = SSL

[root@localhost kafka2.3]# ll /usr/local/kafka/server.keystore.jks
-rw-r--r--. 1 root root 3199 Aug 12 00:14 /usr/local/kafka/server.keystore.jks

这些文件也是存在的,请问是什么原因呢



您需要解锁本帖隐藏内容请: 点击这里
本帖隐藏的内容




上一条: 请问 我们公司的kafka集群有两个,其中一个kafka只能写数据进去却读不了,两个kafka的配置都是一样的,关键是不报错,好像是创建不了消费者,求答案 谢谢
下一条: 怎么查看kafka之前有没有进行过安全配置啊

  • 先看看有没有权限,上面只是说失败的加载。
    另外可参考:https://www.orchome.com/500

    • 我这个不是配置Kerberos,是配置ssl。我把/usr/local/kafka/server.keystore.jks都设置成777了。也是不行啊
      -rwxrwxrwx. 1 root root 3199 Aug 12 00:14 server.keystore.jks
      -rwxrwxrwx. 1 root root 984 Aug 12 00:11 server.truststore.jks
      -rwxrwxrwx. 1 root root 984 Aug 12 00:12 client.truststore.jks

      还是报这个错误,Failed to load SSL keystore /usr/local/kafka/server.keystore.jks of type JKS
      请问这个错误之前大神你有遇到过吗

        • 请问大神在执行密钥生成的最后一步时报这个错误
          [root@localhost kafka]# keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed
          Enter keystore password:
          keytool error: java.lang.Exception: Reply has no certificates

          这个意思是已经签名的证书没有吗?是不是这个错误导致了“Failed to load SSL keystore”,如果是,请问这个问题怎么解决

          加密限制已经替换,替换成 jce_policy-8
          也已经导入jdk
          [root@localhost UnlimitedJCEPolicyJDK8]# ls /usr/local/jdk/jre/lib/security/
          blacklist blacklisted.certs cacerts java.policy java.security javaws.policy local_policy.jar policy README.txt trusted.libraries US_export_policy.jar

            • [root@localhost kafka]# openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:test1234
              Signature ok
              subject=/C=ln/ST=ln/L=ln/O=ln/OU=ln/CN=ln
              Getting CA Private Key
              unable to load CA Private Key
              140107397314464:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:604:
              140107397314464:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:104:
              140107397314464:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130:
              140107397314464:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132:
              

              在签名证书的时候又这个报错,但是我见到“Signature ok”就没在意之后的错误,请问是不是这个错误导致

                • 问题已经解决!是因为在openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:test1234
                  的pass里我不是采用 test1234 来进行
                  keytool -keystore server.keystore.jks -alias localhost -validity 365 -keyalg RSA -genkey server.keystore.jks的生成

                  这两个采用的是一样的密码才可以,多谢大神

                    • 但是又有一个新问题

                      [root@localhost bin]# ./kafka-console-producer.sh --broker-list 192.168.8.132:9093 --topic test --producer.config client-ssl.properties
                      >l
                      [2019-08-12 20:20:25,651] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
                      [2019-08-12 20:20:25,727] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
                      [2019-08-12 20:20:25,897] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
                      [2019-08-12 20:20:26,116] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
                      [2019-08-12 20:20:26,614] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
                      [2019-08-12 20:20:27,408] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
                      [2019-08-12 20:20:28,582] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
                      [2019-08-12 20:20:29,713] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
                      [2019-08-12 20:20:30,787] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
                      [2019-08-12 20:20:31,667] WARN [Producer clientId=console-producer] Connection to node -1 (/192.168.8.132:9093) terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
                      ^Corg.apache.kafka.common.KafkaException: Producer closed while send in progress
                          at org.apache.kafka.clients.producer.KafkaProducer.doSend(KafkaProducer.java:862)
                          at org.apache.kafka.clients.producer.KafkaProducer.send(KafkaProducer.java:839)
                          at kafka.tools.ConsoleProducer$.send(ConsoleProducer.scala:75)
                          at kafka.tools.ConsoleProducer$.main(ConsoleProducer.scala:57)
                          at kafka.tools.ConsoleProducer.main(ConsoleProducer.scala)
                      Caused by: org.apache.kafka.common.KafkaException: Requested metadata update after close
                          at org.apache.kafka.clients.Metadata.awaitUpdate(Metadata.java:200)
                          at org.apache.kafka.clients.producer.KafkaProducer.waitOnMetadata(KafkaProducer.java:982)
                          at org.apache.kafka.clients.producer.KafkaProducer.doSend(KafkaProducer.java:859)
                      

                      我的client-ssl.properties 是这样写的

                      security.protocol=SSL
                      ssl.truststore.location=/usr/local/kafka/client.truststore.jks
                      ssl.truststore.password=123456
                      ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
                      ssl.truststore.type = JKS
                      ssl.keystore.type = JKS
                      [root@localhost bin]# ll /usr/local/kafka/client.truststore.jks
                      -rw-r--r--. 1 root root 984 Aug 12 19:40 /usr/local/kafka/client.truststore.jks
                      

                      这个client.truststore.jks也存在
                      请问为什么呢

                        • [root@localhost bin]# ./kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test1 --consumer.config client-ssl.properties
                          [2019-08-13 00:29:40,547] ERROR [Consumer clientId=consumer-1, groupId=console-consumer-43513] Connection to node -1 (localhost/127.0.0.1:9093) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
                          [2019-08-13 00:29:40,549] ERROR Error processing message, terminating consumer process:  (kafka.tools.ConsoleConsumer$)
                          org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
                          Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
                              at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
                              at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
                              at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
                              at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
                              at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
                              at org.apache.kafka.common.network.SslTransportLayer.handshakeWrap(SslTransportLayer.java:447)
                              at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:312)
                              at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265)
                              at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:129)
                              at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:532)
                              at org.apache.kafka.common.network.Selector.poll(Selector.java:467)
                              at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:535)
                              at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:265)
                              at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:236)
                              at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:215)
                              at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:231)
                              at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:316)
                              at org.apache.kafka.clients.consumer.KafkaConsumer.updateAssignmentMetadataIfNeeded(KafkaConsumer.java:1214)
                              at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1179)
                              at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1164)
                              at kafka.tools.ConsoleConsumer$ConsumerWrapper.receive(ConsoleConsumer.scala:436)
                              at kafka.tools.ConsoleConsumer$.process(ConsoleConsumer.scala:104)
                              at kafka.tools.ConsoleConsumer$.run(ConsoleConsumer.scala:76)
                              at kafka.tools.ConsoleConsumer$.main(ConsoleConsumer.scala:54)
                              at kafka.tools.ConsoleConsumer.main(ConsoleConsumer.scala)
                          Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
                              at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
                              at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
                              at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
                              at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
                              at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
                              at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
                              at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
                              at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
                              at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
                              at java.security.AccessController.doPrivileged(Native Method)
                              at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
                              at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:401)
                              at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:483)
                              at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:339)
                              ... 18 more
                          Caused by: java.security.cert.CertificateException: No name matching localhost found
                              at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)
                              at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
                              at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
                              at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
                              at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
                              at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
                              at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
                          

                          请问No name matching localhost found 是为什么

                            • 你好,请问“凭证无效,导致认证失败了。
                              你每一步做完后,验证一下。”是什么意思?应该怎么验证啊。我遇到了与这个同样的错误,是拉取消息的时候报错的,但是前面kerberos认证已经通过了