[KAFKA-12784] ssl kafka failed - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 2.8.0
Fix Version/s: 2.8.0
Component/s: config, connect, consumer
Labels:
None

Description

kafka version: kafka_2.13- 2.8.0

i have problem with ssl kafka. I can't figure out how ssl.endpoint.identification.algorithm = works because everything works fine for me if this parameter is empty.

If I put it https, I will have problems "no subject alternative dns name matching" with brokers.

My dns name 1 server:

[root@zeus1 /home/trofimov-im]# nslookup IP_ADDR

IP_ADDR.in-addr.arpa name = zeus1.bbk.strf.ru.

I removed unnecessary

cert in truststore:

Keystore type: jks
Keystore provider: SUN

Your keystore contains 7 entries

Alias name: caroot
Creation date: May 11, 2021
Entry type: trustedCertEntry

Owner: CN=Enterprise CA 2, DC=bbk, DC=strf, DC=ru
Issuer: CN=Root CA, O=bbk, C=RU

*******************************************
*******************************************

Alias name: zeus1.cert
Creation date: May 11, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=zeus1.bbk.strf.ru, OU=SCS, O=BBK of Russia, L=Moscow, ST=Moscow, C=RU
Issuer: CN=Enterprise CA 2, DC=bbk, DC=strf, DC=ru
Serial number: 1d0007b167a6fd474142f6b79f00000007b167
Valid from: Tue Apr 27 19:33:52 MSK 2021 until: Mon Nov 20 14:19:00 MSK 2023
Certificate fingerprints:
MD5: 85:E5:4F:30:A6:A1:0E:A0:8B:7E:70:1C:2B:01:65:BA
SHA1: 84:20:E8:0E:8E:24:EB:E4:93:92:7B:D1:61:3B:75:A9:D8:83:12:DE
SHA256: E6:3D:4E:BD:93:22:B5:4E:28:5A:78:F6:B8:53:1B:BF:6C:39:3D:FC:EB:CF:F8:62:FC:DA:9B:BE:59:4E:F6:EE
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: scs-kafka.bbk.strf.ru
DNSName: *.scs-kafka.bbk.strf.ru
DNSName: scs-kafka
DNSName: *.scs-kafka
DNSName: zeus1.bbk.strf.ru
DNSName: *.zeus1.bbk.strf.ru
DNSName: zeus1
DNSName: *.zeus1
]

*******************************************
*******************************************

Alias name: zeus2.cert
Creation date: May 11, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=zeus2.bbk.strf.ru, OU=SCS, O=BBK of Russia, L=Moscow, ST=Moscow, C=RU
Issuer: CN=Enterprise CA 2, DC=bbk, DC=strf, DC=ru
Serial number: 1d0007b169e5e4f88b66d2e1ce00000007b169
Valid from: Tue Apr 27 19:35:28 MSK 2021 until: Mon Nov 20 14:19:00 MSK 2023
Certificate fingerprints:
MD5: 98:19:39:A9:DF:73:61:EB:17:30:BB:40:75:16:CE:0A
SHA1: 81:0E:77:60:31:77:FC:5A:5C:E3:5F:45:F5:97:C6:84:F0:7B:DB:B5
SHA256: 8D:89:2D:B0:AA:9B:8E:95:D0:54:42:E9:E2:6D:67:FC:7A:6E:F4:50:58:76:F4:F7:0E:F5:D6:F7:A8:C1:5D:51
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: scs-kafka.bbk.strf.ru
DNSName: *.scs-kafka.bbk.strf.ru
DNSName: scs-kafka
DNSName: *.scs-kafka
DNSName: zeus2.bbk.strf.ru
DNSName: *.zeus2.bbk.strf.ru
DNSName: zeus2
DNSName: *.zeus2
]

*******************************************
*******************************************

keystore is the same

The configuration is like this:

ssl.keystore.location=/home/kafka/kafka.server.keystore.jks

ssl.keystore.password=password

ssl.key.password= password

ssl.truststore.location=/home/kafka/kafka.server.truststore.jks

ssl.truststore.password= password

ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1

ssl.keystore.type=JKS

ssl.truststore.type=JKS

security.inter.broker.protocol=SSL

ssl.client.auth=required

ssl.endpoint.identification.algorithm=

What's wrong, where to dig?

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Trofimov

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 14/May/21 09:12

Updated:: 14/May/21 09:12