在 SSL 模式下使用 apache kafka [英] Using apache kafka in SSL mode

问题描述

我正在尝试在 SSL [1-way] 模式下设置 kafka.我已经阅读了官方文档并成功生成了证书.我会记下 2 种不同情况的行为.这种设置只有一个经纪人和一个动物园管理员.

I'm trying to set up kafka in SSL [1-way] mode. I've gone through the official documentation and successfully generated the certificates. I'll note down the behavior for 2 different cases. This setup has only one broker and one zookeeper.

我的server.properties文件中的相关条目如下:

Relevant entries in my server.properties file are as follows:

listeners=PLAINTEXT://localhost:9092, SSL://localhost:9093
ssl.keystore.location=/Users/xyz/home/ssl/server.keystore.jks
ssl.keystore.password=****
ssl.key.password=****

我在 kafka 配置目录中添加了一个 client-ssl.properties ，其中包含以下条目:

I've added a client-ssl.properties in kafka config dir with following entries:

security.protocol=SSL
ssl.truststore.location=/Users/xyz/home/ssl/client.truststore.jks
ssl.truststore.password=****

如果我将 bootstrap.servers=localhost:9093 或 bootstrap.servers=localhost:9092 放在我的 config/producer.properties 文件中，我的控制台生产者/消费者工作正常.这是预期的行为吗?如果是，那为什么?因为我特别想在 SSL 模式下从生产者/消费者连接到 localhost:9093.

If I put bootstrap.servers=localhost:9093 or bootstrap.servers=localhost:9092 in my config/producer.properties file, my console-producers/consumers work fine. Is that the intended behavior? If yes, then why? Because I'm specifically trying to connect to localhost:9093 from producer/consumer in SSL mode.

我的server.properties文件中的相关条目如下:

Relevant entries in my server.properties file are as follows:

security.inter.broker.protocol=SSL
listeners=SSL://localhost:9093
ssl.keystore.location=/Users/xyz/home/ssl/server.keystore.jks
ssl.keystore.password=****
ssl.key.password=****

我的 client-ssl.properties 文件保持不变.我将 bootstrap.servers=localhost:9093 放在 producer.properties 文件中.现在，我的生产者/消费者都无法连接到 kafka.我收到以下消息:

My client-ssl.properties file remains the same. I put bootstrap.servers=localhost:9093 in producer.properties file. Now, none of my producer/consumer can connect to kafka. I get the following msg:

WARN Error while fetching metadata with correlation id 0 : {test=LEADER_NOT_AVAILABLE} (org.apache.kafka.clients.NetworkClient)

我做错了什么?

在所有这些情况下，我都使用以下命令来启动生产者/消费者:

In all these cases I'm using the following commands to start producers/consumers:

./kafka-console-producer.sh --broker-list localhost:9093 --topic test --producer.config ../config/client-ssl.properties
./kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test --consumer.config ../config/client-ssl.properties

推荐答案

确保证书中的通用名称 (CN) 与主机名匹配.SSL 协议根据主机名验证 CN.我想在这里你应该有 CN=localhost.我遇到了类似的问题，我就是这样解决的.

Make sure that the common names (CN) in your certificates match your hostname. SSL protocol verify CN against hostname. I guess here you should have CN=localhost. I had a similar issue and that's how I fixed it.

这篇关于在 SSL 模式下使用 apache kafka的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！