[jira] [Comment Edited] (KAFKA-12534) kafka-configs does not work with ssl enabled kafka broker.

Wed, 14 Apr 2021 05:43:05 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-12534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17320966#comment-17320966
 ] 

kaushik srinivas edited comment on KAFKA-12534 at 4/14/21, 12:42 PM:
---------------------------------------------------------------------

Hi [~cricket007] ,

We tried to change the keystore password and key pass for one of the kafka 
broker. 

below is the command used,

./kafka-configs --bootstrap-server xxxxxx:9092 --command-config ssl.xt 
--entity-type brokers --entity-name 1007 --alter --add-config 
'listener.name.ssl.ssl.keystore.password=1234567,listener.name.ssl.ssl.key.password=1234567'

 

contents of command config file ssl.xt

[root@vm-10-75-112-163 bin]# cat ssl.xt
 ssl.key.password=123456
 ssl.keystore.location=/securityFiles/ssl/kafka.client.keystore.jks
 ssl.keystore.password=123456
 ssl.truststore.location=/securityFiles/ssl/kafka.client.truststore.jks
 ssl.truststore.password=123456
 security.protocol=SSL

 

note: We have keystores created one for kafka broker and one for admin client. 
the password for admin client keystore file is 123456. And this is what is 
configured in the command config file.

But we see below output when we run this command
{code:java}
hreads appropriately using -XX:ParallelGCThreads=N
[2021-04-14 12:24:39,705] WARN The configuration 'ssl.truststore.location' was 
supplied but isn't a known config. 
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,708] WARN The configuration 'ssl.keystore.password' was 
supplied but isn't a known config. 
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,710] WARN The configuration 'ssl.key.password' was 
supplied but isn't a known config. 
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,710] WARN The configuration 'ssl.keystore.location' was 
supplied but isn't a known config. 
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,710] WARN The configuration 'ssl.truststore.password' was 
supplied but isn't a known config. 
(org.apache.kafka.clients.admin.AdminClientConfig)
Error while executing config command with args '--bootstrap-server xxxxx:9092 
--command-config ssl.xt --entity-type brokers --entity-name 1007 --alter 
--add-config 
listener.name.ssl.ssl.keystore.password=1234567,listener.name.ssl.ssl.key.password=1234567'
java.util.concurrent.ExecutionException: 
org.apache.kafka.common.errors.InvalidRequestException: Invalid config value 
for resource ConfigResource(type=BROKER, name='1007'): Invalid value 
org.apache.kafka.common.config.ConfigException: Validation of dynamic config 
update of SSLFactory failed: org.apache.kafka.common.KafkaException: Failed to 
load SSL keystore /etc/kafka/secrets//ssl/keyStore of type JKS for 
configuration Invalid dynamic configuration
        at 
org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
        at 
org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
        at 
org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:104)
        at 
org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:272)
        at kafka.admin.ConfigCommand$.alterBrokerConfig(ConfigCommand.scala:338)
        at 
kafka.admin.ConfigCommand$.processBrokerConfig(ConfigCommand.scala:308)
        at kafka.admin.ConfigCommand$.main(ConfigCommand.scala:85)
        at kafka.admin.ConfigCommand.main(ConfigCommand.scala)
Caused by: org.apache.kafka.common.errors.InvalidRequestException: Invalid 
config value for resource ConfigResource(type=BROKER, name='1007'): Invalid 
value org.apache.kafka.common.config.ConfigException: Validation of dynamic 
config update of SSLFactory failed: org.apache.kafka.common.KafkaException: 
Failed to load SSL keystore /etc/kafka/secrets//ssl/keyStore of type JKS for 
configuration Invalid dynamic configuration
{code}
It says WARN The configuration 'ssl.truststore.location' was supplied but isn't 
a known config. (org.apache.kafka.clients.admin.AdminClientConfig)

Also the new keystore is encrypted with the new password and still we observe 
that the validation has failed.

Note : the server.properties file is not updated with the latest password. It 
is still referring to the old keystore and key passwords.

Can you help us in this.

-kaushik


was (Author: kaushik srinivas):
Hi [~cricket007] ,

We tried to change the keystore password and key pass for one of the kafka 
broker. 

below is the command used,

./kafka-configs --bootstrap-server xxxxxx:9092 --command-config ssl.xt 
--entity-type brokers --entity-name 1007 --alter --add-config 
'listener.name.ssl.ssl.keystore.password=1234567,listener.name.ssl.ssl.key.password=1234567'

 

contents of command config file ssl.xt

[root@vm-10-75-112-163 bin]# cat ssl.xt
ssl.key.password=123456
ssl.keystore.location=/securityFiles/ssl/kafka.client.keystore.jks
ssl.keystore.password=123456
ssl.truststore.location=/securityFiles/ssl/kafka.client.truststore.jks
ssl.truststore.password=123456
security.protocol=SSL

 

note: We have keystores created one for kafka broker and one for admin client. 
the password for admin client keystore file is 123456. And this is what is 
configured in the command config file.

But we see below output when we run this command
{code:java}
hreads appropriately using -XX:ParallelGCThreads=N
[2021-04-14 12:24:39,705] WARN The configuration 'ssl.truststore.location' was 
supplied but isn't a known config. 
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,708] WARN The configuration 'ssl.keystore.password' was 
supplied but isn't a known config. 
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,710] WARN The configuration 'ssl.key.password' was 
supplied but isn't a known config. 
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,710] WARN The configuration 'ssl.keystore.location' was 
supplied but isn't a known config. 
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,710] WARN The configuration 'ssl.truststore.password' was 
supplied but isn't a known config. 
(org.apache.kafka.clients.admin.AdminClientConfig)
Error while executing config command with args '--bootstrap-server xxxxx:9092 
--command-config ssl.xt --entity-type brokers --entity-name 1007 --alter 
--add-config 
listener.name.ssl.ssl.keystore.password=1234567,listener.name.ssl.ssl.key.password=1234567'
java.util.concurrent.ExecutionException: 
org.apache.kafka.common.errors.InvalidRequestException: Invalid config value 
for resource ConfigResource(type=BROKER, name='1007'): Invalid value 
org.apache.kafka.common.config.ConfigException: Validation of dynamic config 
update of SSLFactory failed: org.apache.kafka.common.KafkaException: Failed to 
load SSL keystore /etc/kafka/secrets//ssl/keyStore of type JKS for 
configuration Invalid dynamic configuration
        at 
org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
        at 
org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
        at 
org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:104)
        at 
org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:272)
        at kafka.admin.ConfigCommand$.alterBrokerConfig(ConfigCommand.scala:338)
        at 
kafka.admin.ConfigCommand$.processBrokerConfig(ConfigCommand.scala:308)
        at kafka.admin.ConfigCommand$.main(ConfigCommand.scala:85)
        at kafka.admin.ConfigCommand.main(ConfigCommand.scala)
Caused by: org.apache.kafka.common.errors.InvalidRequestException: Invalid 
config value for resource ConfigResource(type=BROKER, name='1007'): Invalid 
value org.apache.kafka.common.config.ConfigException: Validation of dynamic 
config update of SSLFactory failed: org.apache.kafka.common.KafkaException: 
Failed to load SSL keystore /etc/kafka/secrets//ssl/keyStore of type JKS for 
configuration Invalid dynamic configuration
{code}
It says WARN The configuration 'ssl.truststore.location' was supplied but isn't 
a known config. (org.apache.kafka.clients.admin.AdminClientConfig)

Also the new keystore is encrypted with the new password and still we observe 
that the validation has failed.

Can you help us in this.

-kaushik

> kafka-configs does not work with ssl enabled kafka broker.
> ----------------------------------------------------------
>
>                 Key: KAFKA-12534
>                 URL: https://issues.apache.org/jira/browse/KAFKA-12534
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 2.6.1
>            Reporter: kaushik srinivas
>            Priority: Critical
>
> We are trying to change the trust store password on the fly using the 
> kafka-configs script for a ssl enabled kafka broker.
> Below is the command used:
> kafka-configs.sh --bootstrap-server localhost:9092 --entity-type brokers 
> --entity-name 1001 --alter --add-config 'ssl.truststore.password=xxx'
> But we see below error in the broker logs when the command is run.
> {"type":"log", "host":"kf-2-0", "level":"INFO", 
> "neid":"kafka-cfd5ccf2af7f47868e83473408", "system":"kafka", 
> "time":"2021-03-23T12:14:40.055", "timezone":"UTC", 
> "log":\{"message":"data-plane-kafka-network-thread-1002-ListenerName(SSL)-SSL-2
>  - org.apache.kafka.common.network.Selector - [SocketServer brokerId=1002] 
> Failed authentication with /127.0.0.1 (SSL handshake failed)"}}
>  How can anyone configure ssl certs for the kafka-configs script and succeed 
> with the ssl handshake in this case ? 
> Note : 
> We are trying with a single listener i.e SSL: 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to