融合的REST代理API SSL握手失败

时间:2019-06-25 23:20:37

标签: ssl apache-kafka confluent kafka-rest

我在docker上使用融合图像创建了一个kafka集群。我正在使用docker-compose来构建容器。

当我尝试运行容器时,它会启动,但是由于SSL握手失败而无法与任何代理进行通信。我不知道我是否错过了一些配置

  

[kafka-admin-client-thread | adminclient-1]错误org.apache.kafka.clients.NetworkClient-[AdminClient clientId = adminclient-1]由于以下原因,到节点-3(/ XXX:19092)的连接身份验证失败:

我的Kafka经纪人的配置如下:

  

kafka1:

image: confluentinc/cp-kafka:5.2.2
container_name: kafka1
ports:
  - "19092:19092"
environment:
  KAFKA_BROKER_ID: 1
  KAFKA_ZOOKEEPER_CONNECT: XXX:12181,XXX:12181,XXX:12181
  KAFKA_ADVERTISED_LISTENERS: SSL://XXXX:19092
  KAFKA_SSL_KEYSTORE_FILENAME: kafka.broker1.keystore.jks
  KAFKA_SSL_KEYSTORE_CREDENTIALS: broker1_keystore_creds
  KAFKA_SSL_KEY_CREDENTIALS: broker1_sslkey_creds
  KAFKA_SSL_TRUSTSTORE_FILENAME: kafka.broker1.truststore.jks
  KAFKA_SSL_TRUSTSTORE_CREDENTIALS: broker1_truststore_creds
  KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: ""
  KAFKA_SSL_CLIENT_AUTH: required
  KAFKA_SECURITY_INTER_BROKER_PROTOCOL: SSL
  KAFKA_SECURITY_PROTOCOL: SSL
volumes:
  - ./../../secrets:/etc/kafka/secrets

我正在尝试使用以下配置将Confluent REST代理API引入另一个容器:

  

kafka-rest-proxy:

image: confluentinc/cp-kafka-rest:5.2.2
hostname: kafka-rest-proxy
ports:
  - "18082:18082"
environment:
  KAFKA_REST_LISTENERS: "http://0.0.0.0:18082"
  KAFKA_REST_ZOOKEEPER_CONNECT: XXX:12181,XXX:12181,XXX:12181
  KAFKA_REST_HOST_NAME: kafka-rest-proxy
  KAFKA_REST_BOOTSTRAP_SERVERS: SSL://XXX:19092,SSL://XXX:19092,SSL://XXX:19092
  KAFKA_REST_CLIENT_SECURITY_PROTOCOL: SSL
  KAFKA_REST_CLIENT_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.broker1.keystore.jks
  KAFKA_REST_CLIENT_SSL_KEYSTORE_PASSWORD: XXX     
  KAFKA_REST_CLIENT_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.broker1.truststore.jks
  KAFKA_REST_CLIENT_SSL_TRUSTSTORE_PASSWORD: XXX
  KAFKA_REST_CLIENT_SSL_KEY_PASSWORD: XXX 
  KAFKA_REST_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.producer.keystore.jks
  KAFKA_REST_SSL_KEYSTORE_PASSWORD: XXX
  KAFKA_REST_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.producer.truststore.jks
  KAFKA_REST_SSL_TRUSTSTORE_PASSWORD: XXX
volumes:
  - ./../../secrets:/etc/kafka/secrets

2 个答案:

答案 0 :(得分:0)

在我的情况下(带头盔的Kubernetes),我不得不添加更改

从“听众”:“ http://0.0.0.0:8082”到“听众”:“ https://0.0.0.0:8082

我在您的配置中看到相同的错误

KAFKA_REST_LISTENERS:“ http ://0.0.0.0:18082”

在那之后,您会在启动日志的末尾看到它试图加载密钥库文件

答案 1 :(得分:0)

我仅使用信任库配置了SSH连接(我完全删除了密钥库配置),并且使用了OPTS环境变量:

docker run -d \ --name krp \ -p 8082:8082 \ ...

-v /home/ubuntu/kafka-keys:/kafka-keys \

-e KAFKA_REST_CLIENT_OPTS="-Dssl.keystore.location=/kafka-keys/kafka.client.keystore.jks -Dssl.keystore.password=changeit -Dssl.truststore.location=/kafka-keys/kafka.client.truststore.jks" \ confluentinc/cp-kafka-rest:5.3.1

连接正常。

相关问题
最新问题