[jira] [Commented] (KAFKA-12534) kafka-configs does not work with ssl enabled kafka broker.

Sun, 16 May 2021 22:49:27 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-12534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17345886#comment-17345886
 ] 

kaushik srinivas commented on KAFKA-12534:
------------------------------------------

Hi,

We have tried the exact steps. Captured the commands and logs in detail. The 
scenario to change the keystore password does not work still. 

sequence of steps to reproduce
 # install kafka broker by generating a CA, truststore and keystore. (password 
for stores: 123456)
 # re generate the keystore with a new password (1234567). Use the same old 
generated CA and trust store from step1.
 # issue the dynamic reconfig command after replacing the keystore file in the 
specified location.
 # dynamic config command issued: 
{code:java}
./kafka-configs --bootstrap-server kafkabroker:9092 --command-config 
ssl.properties --entity-type brokers --entity-name 1001 --alter --add-config 
'listener.name.ssl.ssl.keystore.password=1234567,listener.name.ssl.ssl.keystore.location=/etc/kafka/secrets/ssl/keyStore'
{code}
Note: listener name is ssl and is in the format specified in 
[https://docs.confluent.io/platform/current/kafka/dynamic-config.html#updating-ssl-keystore-of-an-existing-listener]
 # command fails with following trace 
{code:java}
Error while executing config command with args '--bootstrap-server 
kafkabroker:9092 --command-config ssl.properties --entity-type brokers 
--entity-name 1001 --alter --add-config 
listener.name.ssl.ssl.keystore.password=1234567,listener.name.ssl.ssl.keystore.location=/etc/kafka/secrets/ssl/keyStore'
java.util.concurrent.ExecutionException: 
org.apache.kafka.common.errors.InvalidRequestException: Invalid config value 
for resource ConfigResource(type=BROKER, name='1001'): Invalid value 
org.apache.kafka.common.config.ConfigException: Validation of dynamic config 
update of SSLFactory failed: org.apache.kafka.common.KafkaException: Failed to 
load SSL keystore /etc/kafka/secrets//ssl/keyStore of type JKS for 
configuration Invalid dynamic configuration
        at 
org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
        at 
org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
        at 
org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:104)
        at 
org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:272)
        at kafka.admin.ConfigCommand$.alterBrokerConfig(ConfigCommand.scala:338)
        at 
kafka.admin.ConfigCommand$.processBrokerConfig(ConfigCommand.scala:308)
        at kafka.admin.ConfigCommand$.main(ConfigCommand.scala:85)
        at kafka.admin.ConfigCommand.main(ConfigCommand.scala)
Caused by: org.apache.kafka.common.errors.InvalidRequestException: Invalid 
config value for resource ConfigResource(type=BROKER, name='1001'): Invalid 
value org.apache.kafka.common.config.ConfigException: Validation of dynamic 
config update of SSLFactory failed: org.apache.kafka.common.KafkaException: 
Failed to load SSL keystore /etc/kafka/secrets//ssl/keyStore of type JKS for 
configuration Invalid dynamic configuration

{code}
Kafka broker logs the below output 
{code:java}
{ "timezone":"UTC", "log":{"message":"data-plane-kafka-request-handler-5 - 
kafka.server.AdminManager - [Admin Manager on Broker 1001]: Invalid config 
value for resource ConfigResource(type=BROKER, name='1001'): Invalid value 
org.apache.kafka.common.config.ConfigException: Validation of dynamic config 
update of SSLFactory failed: org.apache.kafka.common.KafkaException: Failed to 
load SSL keystore /etc/kafka/secrets//ssl/keyStore of type JKS for 
configuration Invalid dynamic configuration"}}
{code}
{code:java}
 {code}

> kafka-configs does not work with ssl enabled kafka broker.
> ----------------------------------------------------------
>
>                 Key: KAFKA-12534
>                 URL: https://issues.apache.org/jira/browse/KAFKA-12534
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 2.6.1
>            Reporter: kaushik srinivas
>            Priority: Critical
>
> We are trying to change the trust store password on the fly using the 
> kafka-configs script for a ssl enabled kafka broker.
> Below is the command used:
> kafka-configs.sh --bootstrap-server localhost:9092 --entity-type brokers 
> --entity-name 1001 --alter --add-config 'ssl.truststore.password=xxx'
> But we see below error in the broker logs when the command is run.
> {"type":"log", "host":"kf-2-0", "level":"INFO", 
> "neid":"kafka-cfd5ccf2af7f47868e83473408", "system":"kafka", 
> "time":"2021-03-23T12:14:40.055", "timezone":"UTC", 
> "log":\{"message":"data-plane-kafka-network-thread-1002-ListenerName(SSL)-SSL-2
>  - org.apache.kafka.common.network.Selector - [SocketServer brokerId=1002] 
> Failed authentication with /127.0.0.1 (SSL handshake failed)"}}
>  How can anyone configure ssl certs for the kafka-configs script and succeed 
> with the ssl handshake in this case ? 
> Note : 
> We are trying with a single listener i.e SSL: 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to