Python Confluent-Kafka SSL配置 [英] Python Confluent-Kafka SSL Configuration

问题描述

已经创建了一个基本的Confluent-Kafka生产者和消费者来发送纯文本消息.

A basic Confluent-Kafka producer and consumer have been created to send plaintext messages.

成功将消息从生产者发送到消费者后，添加了其他配置以使用SSL而不是PLAINTEXT.

After successfully sending messages from producer to consumer, additional configs were added to use SSL rather than PLAINTEXT.

已实现以下配置，从而导致以下错误.

The following Configs have been implemented, which result in the following error.

邮件超时"

生产者配置:

bootstrap.servers: localhost9093
security.protocol: SSL
ssl.keystore.location: ../keystore.p12
ssl.keystore.password: [password]
ssl.ca.location: ../CARoot.pem
ssl.key.location: ../key.pem
ssl.certificate.location: ../cert.pem
ssl.key.password: [password]

服务器配置:

ssl.keystore.type= PKCS12
ssl.keystore.location= ../keystore.p12
ssl.keystore.password= [password]
ssl.ca.location= ..\\CARoot.pem
ssl.certificate.location= ..\\cert.pem
ssl.key.password= [password]
ssl.key.location= ../key.pem
security.inter.broker.protocol= SSL
listeners = PLAINTEXT://localhost:9092,SSL://localhost:9093
advertised.listeners = PLAINTEXT://localhost:9092,SSL://localhost:9093

实现SSL是否需要其他配置?

Are there additional configs required to implement SSL?

此外，任何人都可以总结CARoot吗?根据我的阅读，它是一连串的证书.因此，如果只有一个证书，CARoot.pem和cert.pem是否应该相同?该文件可能是问题所在.证书和私钥是在 PyOpenSSL 中创建的.使用keytool从.jks密钥库转换keystore.p12.

Additionally, can anyone summarize the CARoot? From what I have read, it is a chain of certificates. Therefore, if there is only one certificate, should CARoot.pem and cert.pem be identical? This file might be the problem. The certificate and private key were created in PyOpenSSL. keystore.p12 was converted from a .jks keystore using keytool.

是否可以使用此库创建CARoot.pem文件?

Is there a way to create a CARoot.pem file using this library?

谢谢.

推荐答案

由于CA证书文件的格式，生产者正在超时.

The producer was timing out due to the formatting of the CA Certificate file.

以下问题的解决方案用于解决超时错误，该错误使用OpenSSL而不是PyOpenSSL.

The solution to the following question was used to resolve the time-out error, which uses OpenSSL rather than PyOpenSSL.

注意:OpenSSL在Git Bash中可用.

Note: OpenSSL is available in Git Bash.

如何在没有包装袋属性的情况下以PEM格式从PFX导出CA证书链

此外，服务器和生产者的配置都进行了一些更改.

Additionally, there were some changes that were made to the configuration of both the server and producer.

生产者配置:

bootstrap.servers: localhost9093
security.protocol: SSL
ssl.ca.location: ../CARoot.pem
ssl.key.location: ../key.pem
ssl.certificate.location: ../cert.pem

服务器配置:

ssl.protocol= SSL
ssl.keystore.type= JKS
ssl.keystore.location= ../keystore.jks
ssl.keystore.password= [password]
ssl.client.auth= required
security.inter.broker.protocol= SSL
listeners = PLAINTEXT://localhost:9092,SSL://localhost:9093
advertised.listeners = PLAINTEXT://localhost:9092,SSL://localhost:9093

这篇关于Python Confluent-Kafka SSL配置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！