Trofimov created KAFKA-12784: -------------------------------- Summary: ssl kafka failed Key: KAFKA-12784 URL: https://issues.apache.org/jira/browse/KAFKA-12784 Project: Kafka Issue Type: Task Components: config, consumer, KafkaConnect Affects Versions: 2.8.0 Reporter: Trofimov Fix For: 2.8.0
*kafka version:* kafka_2.13- 2.8.0 i have problem with ssl kafka. I can't figure out how ssl.endpoint.identification.algorithm = works because everything works fine for me if this parameter is empty. If I put it https, I will have problems "_no subject alternative dns name matching_" with brokers. *My dns name 1 server:* [root@zeus1 /home/trofimov-im]# nslookup IP_ADDR IP_ADDR.in-addr.arpa name = zeus1.bbk.strf.ru. I removed unnecessary *cert in truststore:* Keystore type: jks Keystore provider: SUN Your keystore contains 7 entries Alias name: caroot Creation date: May 11, 2021 Entry type: trustedCertEntry Owner: CN=Enterprise CA 2, DC=bbk, DC=strf, DC=ru Issuer: CN=Root CA, O=bbk, C=RU ******************************************* ******************************************* Alias name: zeus1.cert Creation date: May 11, 2021 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=zeus1.bbk.strf.ru, OU=SCS, O=BBK of Russia, L=Moscow, ST=Moscow, C=RU Issuer: CN=Enterprise CA 2, DC=bbk, DC=strf, DC=ru Serial number: 1d0007b167a6fd474142f6b79f00000007b167 Valid from: Tue Apr 27 19:33:52 MSK 2021 until: Mon Nov 20 14:19:00 MSK 2023 Certificate fingerprints: MD5: 85:E5:4F:30:A6:A1:0E:A0:8B:7E:70:1C:2B:01:65:BA SHA1: 84:20:E8:0E:8E:24:EB:E4:93:92:7B:D1:61:3B:75:A9:D8:83:12:DE SHA256: E6:3D:4E:BD:93:22:B5:4E:28:5A:78:F6:B8:53:1B:BF:6C:39:3D:FC:EB:CF:F8:62:FC:DA:9B:BE:59:4E:F6:EE Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 #8: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: scs-kafka.bbk.strf.ru DNSName: *.scs-kafka.bbk.strf.ru DNSName: scs-kafka DNSName: *.scs-kafka DNSName: zeus1.bbk.strf.ru DNSName: *.zeus1.bbk.strf.ru DNSName: zeus1 DNSName: *.zeus1 ] ******************************************* ******************************************* Alias name: zeus2.cert Creation date: May 11, 2021 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=zeus2.bbk.strf.ru, OU=SCS, O=BBK of Russia, L=Moscow, ST=Moscow, C=RU Issuer: CN=Enterprise CA 2, DC=bbk, DC=strf, DC=ru Serial number: 1d0007b169e5e4f88b66d2e1ce00000007b169 Valid from: Tue Apr 27 19:35:28 MSK 2021 until: Mon Nov 20 14:19:00 MSK 2023 Certificate fingerprints: MD5: 98:19:39:A9:DF:73:61:EB:17:30:BB:40:75:16:CE:0A SHA1: 81:0E:77:60:31:77:FC:5A:5C:E3:5F:45:F5:97:C6:84:F0:7B:DB:B5 SHA256: 8D:89:2D:B0:AA:9B:8E:95:D0:54:42:E9:E2:6D:67:FC:7A:6E:F4:50:58:76:F4:F7:0E:F5:D6:F7:A8:C1:5D:51 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 #8: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: scs-kafka.bbk.strf.ru DNSName: *.scs-kafka.bbk.strf.ru DNSName: scs-kafka DNSName: *.scs-kafka DNSName: zeus2.bbk.strf.ru DNSName: *.zeus2.bbk.strf.ru DNSName: zeus2 DNSName: *.zeus2 ] ******************************************* ******************************************* *keystore is the same* *The configuration is like this:* ssl.keystore.location=/home/kafka/kafka.server.keystore.jks ssl.keystore.password=password ssl.key.password= password ssl.truststore.location=/home/kafka/kafka.server.truststore.jks ssl.truststore.password= password ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1 ssl.keystore.type=JKS ssl.truststore.type=JKS security.inter.broker.protocol=SSL ssl.client.auth=required ssl.endpoint.identification.algorithm= *What's wrong, where to dig?* -- This message was sent by Atlassian Jira (v8.3.4#803005)