当 EnableSslCertificateVerification 设置为 true (Confluent Kafka) 时 - 证书验证失败 [英] When EnableSslCertificateVerification is set to true (Confluent Kafka) - certificate verification fails

查看:30
本文介绍了当 EnableSslCertificateVerification 设置为 true (Confluent Kafka) 时 - 证书验证失败的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在 Windows 上运行我的客户端,我能够验证 CA 授权是否存在并且在受信任的根证书授权中有效.

I am running my client on Windows and I was able to verify the CA authority exists and is valid in Trusted Root certificate authorities.

"Dev-on-Windows": {
      "commandName": "Project",
      "environmentVariables": {
        "Kafka__BootstrapServers": "myloadbalancer.myhost.corp:9094",
        "Kafka__EnableSslCertificateVerification": "true",
        "Kafka__SchemaRegistryUrl": "myschemareg.myhost.corp:8081,myschemreg2.myhost.corp:8081",
        "Kafka__SecurityProtocol": "SaslSsl",
        "Kafka__SaslMechanism": "Gssapi",       
        "Kafka__ClientId": "DotNetCoreReferenceApplication",
        "Kafka__ErrorTolerance": "Moderate",
        "Kafka__Debug" : "all",
        "ASPNETCORE_ENVIRONMENT": "Development"
      },
      "applicationUrl": "https://localhost:5001;http://localhost:5000"
    },

当我禁用 SSL 验证时,发布和使用消息效果很好.但是,启用后出现错误

Publishing and Consuming messages works great when I disable SSL verification. However, when enabled I get errors

SSL handshake failed: .ssls3_clnt.c:1269: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:  (after 73ms in state CONNECT)

我尝试了什么:

  1. 我怀疑该用户帐户可能无法访问 CA 存储,所以我使用我的个人帐户运行应用程序(相对于服务校长)并遇到了同样的问题.

  1. I suspected the user account might not have access to CA store, so I ran the application using my personal account (vs. the Service Principal) and got the same problem.

我还尝试导出该证书并将其放在我运行 .NET 核心应用程序的目录中,但它也失败了.我尝试使用 SslCaLocation 指向该目录,但没有成功.

I also tried to export that certificate and place it in directory where I run my .NET core application and it failed as well. I tried to point to the directory using SslCaLocation but it didn't work.

更新这是调试日志

[18:12:40 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: Selected provider Win32 SSPI for SASL mechanism GSSAPI

[18:12:40 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: librdkafka built with OpenSSL version 0x1000212f

[18:12:40 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: 72/73 certificate(s) successfully added from Windows Certificate Root store

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: Group "BL-9HQ76S2.consumerGroup1": updating member id "(not-set)" -> ""

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: GroupCoordinator: Enabled low-latency ops queue wake-ups

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: GroupCoordinator: Added new broker with NodeId -1

[18:12:44 Debug][8]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:GroupCoordinator]: GroupCoordinator: Enter main broker thread

[18:12:44 Debug][9]  MyService.Messaging.Kafka.EventBusConsumer
[thrd::0/internal]: :0/internal: Enter main broker thread

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1

[18:12:44 Debug][10]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Enter main broker thread

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1

[18:12:44 Debug][11]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Enter main broker thread

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: librdkafka v1.4.2 (0x10402ff) DotNetCoreReferenceApplication-BL-9HQ76S2#consumer-1 initialized (builtin.features gzip,snappy,ssl,sasl,regex,lz4,sasl_gssapi,sasl_plain,sasl_scram,plugins,zstd,sasl_oauthbearer, SSL ZLIB SNAPPY SASL_SCRAM PLUGINS HDRHISTOGRAM, debug 0xfffff)

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Enter main broker thread

[18:12:44 Debug][13]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1" received op SUBSCRIBE (v0) in state init (join state init, v1 vs 0)

[18:12:44 Debug][13]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1": subscribe to new subscription of 1 topics (join state init)

[18:12:44 Debug][13]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1": unsubscribe from current unset subscription of 0 topics (leave group=no, join state init, v1)

[18:12:44 Debug][13]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1": resetting group leader info: unsubscribe

[18:12:44 Debug][13]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1" is rebalancing in state init (join-state init) without assignment: unsubscribe

[18:12:44 Debug][13]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1" changed join state init -> wait-unassign (v1, state init)

[18:12:44 Debug][13]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1": unassign done in state init (join state wait-unassign): without new assignment: unassign (no previous assignment)

[18:12:44 Debug][13]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1" changed join state wait-unassign -> init (v1, state init)

[18:12:44 Debug][13]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1" changed state init -> query-coord (v1, join-state init)

[18:12:44 Debug][13]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Broadcasting state change

[18:12:44 Debug][13]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Selected for cluster connection: coordinator query (broker has 0 connection attempt(s))

[18:12:44 Debug][13]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1": no broker available for coordinator query: intervaled in state query-coord

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Received CONNECT op

[18:12:44 Debug][13]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.consumerGroup1" received op GET_SUBSCRIPTION (v0) in state query-coord (join state init, v1 vs 0)

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state INIT -> TRY_CONNECT

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
Confluent.Kafka.Consumer`2[System.String,System.String] subscribed to: [SchemaLess_v1]

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: broker in state TRY_CONNECT connecting

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state TRY_CONNECT -> CONNECT

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: Selected provider Win32 SSPI for SASL mechanism GSSAPI

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: librdkafka built with OpenSSL version 0x1000212f

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: 72/73 certificate(s) successfully added from Windows Certificate Root store

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Connecting to ipv4#10.3.232.208:9094 (sasl_ssl) with socket 2448

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: Group "BL-9HQ76S2.cheetahConsumerGroup1": updating member id "(not-set)" -> ""

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: GroupCoordinator: Enabled low-latency ops queue wake-ups

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: GroupCoordinator: Added new broker with NodeId -1

[18:12:44 Debug][14]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:GroupCoordinator]: GroupCoordinator: Enter main broker thread

[18:12:44 Debug][15]  MyService.Messaging.Kafka.EventBusConsumer
[thrd::0/internal]: :0/internal: Enter main broker thread

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1

[18:12:44 Debug][16]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Enter main broker thread

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Connected to ipv4#10.3.232.208:9094

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1

[18:12:44 Debug][17]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Enter main broker thread

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: librdkafka v1.4.2 (0x10402ff) DotNetCoreReferenceApplication-BL-9HQ76S2#consumer-2 initialized (builtin.features gzip,snappy,ssl,sasl,regex,lz4,sasl_gssapi,sasl_plain,sasl_scram,plugins,zstd,sasl_oauthbearer, SSL ZLIB SNAPPY SASL_SCRAM PLUGINS HDRHISTOGRAM, debug 0xfffff)

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Enter main broker thread

[18:12:44 Debug][19]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1" received op SUBSCRIBE (v0) in state init (join state init, v1 vs 0)

[18:12:44 Debug][19]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1": subscribe to new subscription of 1 topics (join state init)

[18:12:44 Debug][19]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1": unsubscribe from current unset subscription of 0 topics (leave group=no, join state init, v1)

[18:12:44 Debug][19]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1": resetting group leader info: unsubscribe

[18:12:44 Debug][19]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1" is rebalancing in state init (join-state init) without assignment: unsubscribe

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: failed: err: Local: SSL error: (errno: No error)

[18:12:44 Debug][19]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1" changed join state init -> wait-unassign (v1, state init)

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state CONNECT -> DOWN

[18:12:44 Debug][19]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1": unassign done in state init (join state wait-unassign): without new assignment: unassign (no previous assignment)

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change

[18:12:44 Debug][19]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1" changed join state wait-unassign -> init (v1, state init)

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Purging bufq with 0 buffers

[18:12:44 Debug][19]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1" changed state init -> query-coord (v1, join-state init)

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Purging bufq with 0 buffers

[18:12:44 Debug][19]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Broadcasting state change

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Updating 0 buffers on connection reset

[18:12:44 Debug][19]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Selected for cluster connection: coordinator query (broker has 0 connection attempt(s))

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state DOWN -> INIT

[18:12:44 Debug][19]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1": no broker available for coordinator query: intervaled in state query-coord

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Received CONNECT op

[18:12:44 Debug][12]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change

[18:12:44 Debug][19]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.cheetahConsumerGroup1" received op GET_SUBSCRIPTION (v0) in state query-coord (join state init, v1 vs 0)

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state INIT -> TRY_CONNECT

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
Confluent.Kafka.Consumer`2[System.String,MyService.sample_app.Sample] subscribed to: [bl-cheetah]

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: Selected provider Win32 SSPI for SASL mechanism GSSAPI

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: broker in state TRY_CONNECT connecting

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: librdkafka built with OpenSSL version 0x1000212f

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state TRY_CONNECT -> CONNECT

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Connecting to ipv4#10.3.232.208:9094 (sasl_ssl) with socket 2740

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: 72/73 certificate(s) successfully added from Windows Certificate Root store

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: Group "BL-9HQ76S2.pumaConsumerGroup1": updating member id "(not-set)" -> ""

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: GroupCoordinator: Enabled low-latency ops queue wake-ups

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: GroupCoordinator: Added new broker with NodeId -1

[18:12:44 Debug][20]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:GroupCoordinator]: GroupCoordinator: Enter main broker thread

[18:12:44 Debug][21]  MyService.Messaging.Kafka.EventBusConsumer
[thrd::0/internal]: :0/internal: Enter main broker thread

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1

[18:12:44 Debug][22]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern20p.domain.MyService.corp:9094/bootstrap: Enter main broker thread

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1

[18:12:44 Debug][23]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern21p.domain.MyService.corp:9094/bootstrap: Enter main broker thread

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Enabled low-latency ops queue wake-ups

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Added new broker with NodeId -1

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:app]: librdkafka v1.4.2 (0x10402ff) DotNetCoreReferenceApplication-BL-9HQ76S2#consumer-3 initialized (builtin.features gzip,snappy,ssl,sasl,regex,lz4,sasl_gssapi,sasl_plain,sasl_scram,plugins,zstd,sasl_oauthbearer, SSL ZLIB SNAPPY SASL_SCRAM PLUGINS HDRHISTOGRAM, debug 0xfffff)

[18:12:44 Debug][24]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Enter main broker thread

[18:12:44 Debug][25]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1" received op SUBSCRIBE (v0) in state init (join state init, v1 vs 0)

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Connected to ipv4#10.3.232.208:9094

[18:12:44 Debug][25]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1": subscribe to new subscription of 1 topics (join state init)

[18:12:44 Debug][25]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1": unsubscribe from current unset subscription of 0 topics (leave group=no, join state init, v1)

[18:12:44 Debug][25]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1": resetting group leader info: unsubscribe

[18:12:44 Debug][25]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1" is rebalancing in state init (join-state init) without assignment: unsubscribe

[18:12:44 Debug][25]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1" changed join state init -> wait-unassign (v1, state init)

[18:12:44 Debug][25]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1": unassign done in state init (join state wait-unassign): without new assignment: unassign (no previous assignment)

[18:12:44 Debug][25]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1" changed join state wait-unassign -> init (v1, state init)

[18:12:44 Debug][25]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1" changed state init -> query-coord (v1, join-state init)

[18:12:44 Debug][25]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Broadcasting state change

[18:12:44 Debug][25]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Selected for cluster connection: coordinator query (broker has 0 connection attempt(s))

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: failed: err: Local: SSL error: (errno: No error)

[18:12:44 Debug][25]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1": no broker available for coordinator query: intervaled in state query-coord

[18:12:44 Debug][24]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Received CONNECT op

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state CONNECT -> DOWN

[18:12:44 Debug][25]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:main]: Group "BL-9HQ76S2.pumaConsumerGroup1" received op GET_SUBSCRIPTION (v0) in state query-coord (join state init, v1 vs 0)

[18:12:44 Debug][24]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state INIT -> TRY_CONNECT

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change

[18:12:44 Debug][1]  MyService.Messaging.Kafka.EventBusConsumer
Confluent.Kafka.Consumer`2[System.String,MyService.sample_app.Sample] subscribed to: [bl-puma]

[18:12:44 Debug][24]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Purging bufq with 0 buffers

[18:12:44 Debug][24]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: broker in state TRY_CONNECT connecting

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Purging bufq with 0 buffers

[18:12:44 Debug][24]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state TRY_CONNECT -> CONNECT

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Updating 0 buffers on connection reset

[18:12:44 Debug][24]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Broker changed state DOWN -> INIT

[18:12:44 Debug][24]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: Connecting to ipv4#10.3.232.208:9094 (sasl_ssl) with socket 3024

[18:12:44 Debug][18]  MyService.Messaging.Kafka.EventBusConsumer
[thrd:sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap]: Broadcasting state change

[18:12:44 Error][7]  MyService.Messaging.Kafka.EventBusConsumer
errorCode: Local_Ssl, reason: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: SSL handshake failed: .ssls3_clnt.c:1269: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:  (after 84ms in state CONNECT)

[18:12:44 Error][4]  MyService.Messaging.Kafka.EventBusConsumer
errorCode: Local_Ssl, reason: sasl_ssl://brokern22p.domain.MyService.corp:9094/bootstrap: SSL handshake failed: .ssls3_clnt.c:1269: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:  (after 76ms in state CONNECT)

推荐答案

我通过在我的应用程序的根文件夹下添加cacert.pem文件解决了这个问题并在SslCaLocation配置

I solved the problem by adding cacert.pem file under the root folder of my application and specified the file name in SslCaLocation configuration

"Dev-on-Windows": {
      "commandName": "Project",
      "environmentVariables": {
        "Kafka__BootstrapServers": "myloadbalancer.myhost.corp:9094",
        "Kafka__EnableSslCertificateVerification": "true",
        "Kafka__SchemaRegistryUrl": "myschemareg.myhost.corp:8081,myschemreg2.myhost.corp:8081",
        "Kafka__SecurityProtocol": "SaslSsl",
        "Kafka__SslCaLocation": "cacert.pem",
        "Kafka__SaslMechanism": "Gssapi",       
        "Kafka__ClientId": "DotNetCoreReferenceApplication",
        "Kafka__ErrorTolerance": "Moderate",
        "Kafka__Debug" : "all",
        "ASPNETCORE_ENVIRONMENT": "Development"
      },
      "applicationUrl": "https://localhost:5001;http://localhost:5000"
    },

cacert.pem 包含证书 PK 的串联.我是手动复制的.

The cacert.pem contains concatenation of the PKs of the certificates. I copied them manually.

也就是说,我不确定为什么融合客户端无法访问 Windows 证书根存储.我问了一个单独的问题解决这个问题.

That said I am not sure why the confluent client cannot access the Windows Certificate Root Store. I asked a separate question to address that.

这篇关于当 EnableSslCertificateVerification 设置为 true (Confluent Kafka) 时 - 证书验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆