Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-12784

ssl kafka failed

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Task
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.8.0
    • Fix Version/s: 2.8.0
    • Component/s: config, consumer, KafkaConnect
    • Labels:
      None

      Description

      kafka version: kafka_2.13- 2.8.0

      i have problem with ssl kafka. I can't figure out how ssl.endpoint.identification.algorithm = works because everything works fine for me if this parameter is empty.

       

      If I put it https, I will have problems "no subject alternative dns name matching" with brokers.

       

      My dns name 1 server:

       

      [root@zeus1 /home/trofimov-im]#  nslookup IP_ADDR

      IP_ADDR.in-addr.arpa      name = zeus1.bbk.strf.ru.

       

      I removed unnecessary

      cert in truststore:

       

      Keystore type: jks
      Keystore provider: SUN

      Your keystore contains 7 entries

      Alias name: caroot
      Creation date: May 11, 2021
      Entry type: trustedCertEntry

      Owner: CN=Enterprise CA 2, DC=bbk, DC=strf, DC=ru
      Issuer: CN=Root CA, O=bbk, C=RU

       

      *******************************************
      *******************************************

      Alias name: zeus1.cert
      Creation date: May 11, 2021
      Entry type: PrivateKeyEntry
      Certificate chain length: 1
      Certificate[1]:
      Owner: CN=zeus1.bbk.strf.ru, OU=SCS, O=BBK of Russia, L=Moscow, ST=Moscow, C=RU
      Issuer: CN=Enterprise CA 2, DC=bbk, DC=strf, DC=ru
      Serial number: 1d0007b167a6fd474142f6b79f00000007b167
      Valid from: Tue Apr 27 19:33:52 MSK 2021 until: Mon Nov 20 14:19:00 MSK 2023
      Certificate fingerprints:
      MD5: 85:E5:4F:30:A6:A1:0E:A0:8B:7E:70:1C:2B:01:65:BA
      SHA1: 84:20:E8:0E:8E:24:EB:E4:93:92:7B:D1:61:3B:75:A9:D8:83:12:DE
      SHA256: E6:3D:4E:BD:93:22:B5:4E:28:5A:78:F6:B8:53:1B:BF:6C:39:3D:FC:EB:CF:F8:62:FC:DA:9B:BE:59:4E:F6:EE
      Signature algorithm name: SHA256withRSA
      Subject Public Key Algorithm: 2048-bit RSA key
      Version: 3

      #8: ObjectId: 2.5.29.17 Criticality=false
      SubjectAlternativeName [
      DNSName: scs-kafka.bbk.strf.ru
      DNSName: *.scs-kafka.bbk.strf.ru
      DNSName: scs-kafka
      DNSName: *.scs-kafka
      DNSName: zeus1.bbk.strf.ru
      DNSName: *.zeus1.bbk.strf.ru
      DNSName: zeus1
      DNSName: *.zeus1
      ]

       

      *******************************************
      *******************************************

      Alias name: zeus2.cert
      Creation date: May 11, 2021
      Entry type: PrivateKeyEntry
      Certificate chain length: 1
      Certificate[1]:
      Owner: CN=zeus2.bbk.strf.ru, OU=SCS, O=BBK of Russia, L=Moscow, ST=Moscow, C=RU
      Issuer: CN=Enterprise CA 2, DC=bbk, DC=strf, DC=ru
      Serial number: 1d0007b169e5e4f88b66d2e1ce00000007b169
      Valid from: Tue Apr 27 19:35:28 MSK 2021 until: Mon Nov 20 14:19:00 MSK 2023
      Certificate fingerprints:
      MD5: 98:19:39:A9:DF:73:61:EB:17:30:BB:40:75:16:CE:0A
      SHA1: 81:0E:77:60:31:77:FC:5A:5C:E3:5F:45:F5:97:C6:84:F0:7B:DB:B5
      SHA256: 8D:89:2D:B0:AA:9B:8E:95:D0:54:42:E9:E2:6D:67:FC:7A:6E:F4:50:58:76:F4:F7:0E:F5:D6:F7:A8:C1:5D:51
      Signature algorithm name: SHA256withRSA
      Subject Public Key Algorithm: 2048-bit RSA key
      Version: 3

       

      #8: ObjectId: 2.5.29.17 Criticality=false
      SubjectAlternativeName [
      DNSName: scs-kafka.bbk.strf.ru
      DNSName: *.scs-kafka.bbk.strf.ru
      DNSName: scs-kafka
      DNSName: *.scs-kafka
      DNSName: zeus2.bbk.strf.ru
      DNSName: *.zeus2.bbk.strf.ru
      DNSName: zeus2
      DNSName: *.zeus2
      ]

       

      *******************************************
      *******************************************

       

      keystore is the same

      The configuration is like this:

       

      ssl.keystore.location=/home/kafka/kafka.server.keystore.jks

      ssl.keystore.password=password

      ssl.key.password= password

       

      ssl.truststore.location=/home/kafka/kafka.server.truststore.jks

      ssl.truststore.password= password

       

      ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1

      ssl.keystore.type=JKS

      ssl.truststore.type=JKS

       

      security.inter.broker.protocol=SSL

      ssl.client.auth=required

      ssl.endpoint.identification.algorithm=

       

      What's wrong, where to dig?

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              igor9292 Trofimov

              Dates

              • Created:
                Updated:

                Issue deployment