当 EnableSslCertificateVerification 设置为 true (Confluent Kafka) 时 - 证书验证失败 [英] When EnableSslCertificateVerification is set to true (Confluent Kafka) - certificate verification fails
问题描述
我在 Windows 上运行我的客户端,我能够验证 CA 授权是否存在并且在受信任的根证书授权中有效.
I am running my client on Windows and I was able to verify the CA authority exists and is valid in Trusted Root certificate authorities.
"Dev-on-Windows": {
"commandName": "Project",
"environmentVariables": {
"Kafka__BootstrapServers": "myloadbalancer.myhost.corp:9094",
"Kafka__EnableSslCertificateVerification": "true",
"Kafka__SchemaRegistryUrl": "myschemareg.myhost.corp:8081,myschemreg2.myhost.corp:8081",
"Kafka__SecurityProtocol": "SaslSsl",
"Kafka__SaslMechanism": "Gssapi",
"Kafka__ClientId": "DotNetCoreReferenceApplication",
"Kafka__ErrorTolerance": "Moderate",
"Kafka__Debug" : "all",
"ASPNETCORE_ENVIRONMENT": "Development"
},
"applicationUrl": "https://localhost:5001;http://localhost:5000"
},
当我禁用 SSL 验证时,发布和使用消息效果很好.但是,启用后出现错误
Publishing and Consuming messages works great when I disable SSL verification. However, when enabled I get errors
SSL handshake failed: .ssls3_clnt.c:1269: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed: (after 73ms in state CONNECT)
我尝试了什么:
我怀疑该用户帐户可能无法访问 CA 存储,所以我使用我的个人帐户运行应用程序(相对于服务校长)并遇到了同样的问题.
I suspected the user account might not have access to CA store, so I ran the application using my personal account (vs. the Service Principal) and got the same problem.
我还尝试导出该证书并将其放在我运行 .NET 核心应用程序的目录中,但它也失败了.我尝试使用 SslCaLocation
指向该目录,但没有成功.
I also tried to export that certificate and place it in directory where I run my .NET core application and it failed as well. I tried to point to the directory using SslCaLocation
but it didn't work.
更新这是调试日志
[18:12:40 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: Selected provider Win32 SSPI for SASL mechanism GSSAPI
[18:12:40 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: librdkafka built with OpenSSL version 0x1000212f
[18:12:40 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: 72/73 certificate(s) successfully added from Windows Certificate Root store
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: Group "BL-9HQ76S2.consumerGroup1": updating member id "(not-set)" -> ""
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: GroupCoordinator: Enabled low-latency ops queue wake-ups
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: GroupCoordinator: Added new broker with NodeId -1
[18:12:44 Debug][8] MyService.Messaging.Kafka.EventBusConsumer
[thrd:GroupCoordinator]: GroupCoordinator: Enter main broker thread
[18:12:44 Debug][9] MyService.Messaging.Kafka.EventBusConsumer
[thrd::0/internal]: :0/internal: Enter main broker thread
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1
[18:12:44 Debug][10] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Enter main broker thread
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1
[18:12:44 Debug][11] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Enter main broker thread
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: librdkafka v1.4.2 (0x10402ff) DotNetCoreReferenceApplication-BL-9HQ76S2#consumer-1 initialized (builtin.features gzip,snappy,ssl,sasl,regex,lz4,sasl_gssapi,sasl_plain,sasl_scram,plugins,zstd,sasl_oauthbearer, SSL ZLIB SNAPPY SASL_SCRAM PLUGINS HDRHISTOGRAM, debug 0xfffff)
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Enter main broker thread
[18:12:44 Debug][13] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1" received op SUBSCRIBE (v0) in state init (join state init, v1 vs 0)
[18:12:44 Debug][13] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1": subscribe to new subscription of 1 topics (join state init)
[18:12:44 Debug][13] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1": unsubscribe from current unset subscription of 0 topics (leave group=no, join state init, v1)
[18:12:44 Debug][13] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1": resetting group leader info: unsubscribe
[18:12:44 Debug][13] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1" is rebalancing in state init (join-state init) without assignment: unsubscribe
[18:12:44 Debug][13] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1" changed join state init -> wait-unassign (v1, state init)
[18:12:44 Debug][13] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1": unassign done in state init (join state wait-unassign): without new assignment: unassign (no previous assignment)
[18:12:44 Debug][13] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1" changed join state wait-unassign -> init (v1, state init)
[18:12:44 Debug][13] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1" changed state init -> query-coord (v1, join-state init)
[18:12:44 Debug][13] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Broadcasting state change
[18:12:44 Debug][13] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Selected for cluster connection: coordinator query (broker has 0 connection attempt(s))
[18:12:44 Debug][13] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1": no broker available for coordinator query: intervaled in state query-coord
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Received CONNECT op
[18:12:44 Debug][13] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1" received op GET_SUBSCRIPTION (v0) in state query-coord (join state init, v1 vs 0)
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state INIT -> TRY_CONNECT
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
Confluent.Kafka.Consumer`2[System.String,System.String] subscribed to: [SchemaLess_v1]
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: broker in state TRY_CONNECT connecting
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state TRY_CONNECT -> CONNECT
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: Selected provider Win32 SSPI for SASL mechanism GSSAPI
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: librdkafka built with OpenSSL version 0x1000212f
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: 72/73 certificate(s) successfully added from Windows Certificate Root store
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Connecting to ipv4#10.3.232.208:9094 (sasl_ssl) with socket 2448
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: Group "BL-9HQ76S2.cheetahConsumerGroup1": updating member id "(not-set)" -> ""
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: GroupCoordinator: Enabled low-latency ops queue wake-ups
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: GroupCoordinator: Added new broker with NodeId -1
[18:12:44 Debug][14] MyService.Messaging.Kafka.EventBusConsumer
[thrd:GroupCoordinator]: GroupCoordinator: Enter main broker thread
[18:12:44 Debug][15] MyService.Messaging.Kafka.EventBusConsumer
[thrd::0/internal]: :0/internal: Enter main broker thread
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1
[18:12:44 Debug][16] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Enter main broker thread
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Connected to ipv4#10.3.232.208:9094
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1
[18:12:44 Debug][17] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Enter main broker thread
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: librdkafka v1.4.2 (0x10402ff) DotNetCoreReferenceApplication-BL-9HQ76S2#consumer-2 initialized (builtin.features gzip,snappy,ssl,sasl,regex,lz4,sasl_gssapi,sasl_plain,sasl_scram,plugins,zstd,sasl_oauthbearer, SSL ZLIB SNAPPY SASL_SCRAM PLUGINS HDRHISTOGRAM, debug 0xfffff)
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Enter main broker thread
[18:12:44 Debug][19] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1" received op SUBSCRIBE (v0) in state init (join state init, v1 vs 0)
[18:12:44 Debug][19] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1": subscribe to new subscription of 1 topics (join state init)
[18:12:44 Debug][19] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1": unsubscribe from current unset subscription of 0 topics (leave group=no, join state init, v1)
[18:12:44 Debug][19] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1": resetting group leader info: unsubscribe
[18:12:44 Debug][19] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1" is rebalancing in state init (join-state init) without assignment: unsubscribe
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: failed: err: Local: SSL error: (errno: No error)
[18:12:44 Debug][19] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1" changed join state init -> wait-unassign (v1, state init)
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state CONNECT -> DOWN
[18:12:44 Debug][19] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1": unassign done in state init (join state wait-unassign): without new assignment: unassign (no previous assignment)
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change
[18:12:44 Debug][19] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1" changed join state wait-unassign -> init (v1, state init)
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Purging bufq with 0 buffers
[18:12:44 Debug][19] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1" changed state init -> query-coord (v1, join-state init)
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Purging bufq with 0 buffers
[18:12:44 Debug][19] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Broadcasting state change
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Updating 0 buffers on connection reset
[18:12:44 Debug][19] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Selected for cluster connection: coordinator query (broker has 0 connection attempt(s))
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state DOWN -> INIT
[18:12:44 Debug][19] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1": no broker available for coordinator query: intervaled in state query-coord
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Received CONNECT op
[18:12:44 Debug][12] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change
[18:12:44 Debug][19] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1" received op GET_SUBSCRIPTION (v0) in state query-coord (join state init, v1 vs 0)
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state INIT -> TRY_CONNECT
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
Confluent.Kafka.Consumer`2[System.String,MyService.sample_app.Sample] subscribed to: [bl-cheetah]
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: Selected provider Win32 SSPI for SASL mechanism GSSAPI
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: broker in state TRY_CONNECT connecting
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: librdkafka built with OpenSSL version 0x1000212f
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state TRY_CONNECT -> CONNECT
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Connecting to ipv4#10.3.232.208:9094 (sasl_ssl) with socket 2740
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: 72/73 certificate(s) successfully added from Windows Certificate Root store
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: Group "BL-9HQ76S2.pumaConsumerGroup1": updating member id "(not-set)" -> ""
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: GroupCoordinator: Enabled low-latency ops queue wake-ups
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: GroupCoordinator: Added new broker with NodeId -1
[18:12:44 Debug][20] MyService.Messaging.Kafka.EventBusConsumer
[thrd:GroupCoordinator]: GroupCoordinator: Enter main broker thread
[18:12:44 Debug][21] MyService.Messaging.Kafka.EventBusConsumer
[thrd::0/internal]: :0/internal: Enter main broker thread
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1
[18:12:44 Debug][22] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Enter main broker thread
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1
[18:12:44 Debug][23] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Enter main broker thread
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: librdkafka v1.4.2 (0x10402ff) DotNetCoreReferenceApplication-BL-9HQ76S2#consumer-3 initialized (builtin.features gzip,snappy,ssl,sasl,regex,lz4,sasl_gssapi,sasl_plain,sasl_scram,plugins,zstd,sasl_oauthbearer, SSL ZLIB SNAPPY SASL_SCRAM PLUGINS HDRHISTOGRAM, debug 0xfffff)
[18:12:44 Debug][24] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Enter main broker thread
[18:12:44 Debug][25] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1" received op SUBSCRIBE (v0) in state init (join state init, v1 vs 0)
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Connected to ipv4#10.3.232.208:9094
[18:12:44 Debug][25] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1": subscribe to new subscription of 1 topics (join state init)
[18:12:44 Debug][25] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1": unsubscribe from current unset subscription of 0 topics (leave group=no, join state init, v1)
[18:12:44 Debug][25] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1": resetting group leader info: unsubscribe
[18:12:44 Debug][25] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1" is rebalancing in state init (join-state init) without assignment: unsubscribe
[18:12:44 Debug][25] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1" changed join state init -> wait-unassign (v1, state init)
[18:12:44 Debug][25] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1": unassign done in state init (join state wait-unassign): without new assignment: unassign (no previous assignment)
[18:12:44 Debug][25] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1" changed join state wait-unassign -> init (v1, state init)
[18:12:44 Debug][25] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1" changed state init -> query-coord (v1, join-state init)
[18:12:44 Debug][25] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Broadcasting state change
[18:12:44 Debug][25] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Selected for cluster connection: coordinator query (broker has 0 connection attempt(s))
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: failed: err: Local: SSL error: (errno: No error)
[18:12:44 Debug][25] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1": no broker available for coordinator query: intervaled in state query-coord
[18:12:44 Debug][24] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Received CONNECT op
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state CONNECT -> DOWN
[18:12:44 Debug][25] MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1" received op GET_SUBSCRIPTION (v0) in state query-coord (join state init, v1 vs 0)
[18:12:44 Debug][24] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state INIT -> TRY_CONNECT
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change
[18:12:44 Debug][1] MyService.Messaging.Kafka.EventBusConsumer
Confluent.Kafka.Consumer`2[System.String,MyService.sample_app.Sample] subscribed to: [bl-puma]
[18:12:44 Debug][24] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Purging bufq with 0 buffers
[18:12:44 Debug][24] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: broker in state TRY_CONNECT connecting
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Purging bufq with 0 buffers
[18:12:44 Debug][24] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state TRY_CONNECT -> CONNECT
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Updating 0 buffers on connection reset
[18:12:44 Debug][24] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state DOWN -> INIT
[18:12:44 Debug][24] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Connecting to ipv4#10.3.232.208:9094 (sasl_ssl) with socket 3024
[18:12:44 Debug][18] MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change
[18:12:44 Error][7] MyService.Messaging.Kafka.EventBusConsumer
errorCode: Local_Ssl, reason: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: SSL handshake failed: .ssls3_clnt.c:1269: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed: (after 84ms in state CONNECT)
[18:12:44 Error][4] MyService.Messaging.Kafka.EventBusConsumer
errorCode: Local_Ssl, reason: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: SSL handshake failed: .ssls3_clnt.c:1269: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed: (after 76ms in state CONNECT)
推荐答案
我通过在我的应用程序的根文件夹下添加cacert.pem文件解决了这个问题并在SslCaLocation配置
I solved the problem by adding cacert.pem file under the root folder of my application and specified the file name in SslCaLocation configuration
"Dev-on-Windows": {
"commandName": "Project",
"environmentVariables": {
"Kafka__BootstrapServers": "myloadbalancer.myhost.corp:9094",
"Kafka__EnableSslCertificateVerification": "true",
"Kafka__SchemaRegistryUrl": "myschemareg.myhost.corp:8081,myschemreg2.myhost.corp:8081",
"Kafka__SecurityProtocol": "SaslSsl",
"Kafka__SslCaLocation": "cacert.pem",
"Kafka__SaslMechanism": "Gssapi",
"Kafka__ClientId": "DotNetCoreReferenceApplication",
"Kafka__ErrorTolerance": "Moderate",
"Kafka__Debug" : "all",
"ASPNETCORE_ENVIRONMENT": "Development"
},
"applicationUrl": "https://localhost:5001;http://localhost:5000"
},
cacert.pem 包含证书 PK 的串联.我是手动复制的.
The cacert.pem contains concatenation of the PKs of the certificates. I copied them manually.
也就是说,我不确定为什么融合客户端无法访问 Windows 证书根存储.我问了一个单独的问题解决这个问题.
That said I am not sure why the confluent client cannot access the Windows Certificate Root Store. I asked a separate question to address that.
这篇关于当 EnableSslCertificateVerification 设置为 true (Confluent Kafka) 时 - 证书验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!