Trofimov created KAFKA-12784:
--------------------------------
Summary: ssl kafka failed
Key: KAFKA-12784
URL: https://issues.apache.org/jira/browse/KAFKA-12784
Project: Kafka
Issue Type: Task
Components: config, consumer, KafkaConnect
Affects Versions: 2.8.0
Reporter: Trofimov
Fix For: 2.8.0
*kafka version:* kafka_2.13- 2.8.0
i have problem with ssl kafka. I can't figure out how
ssl.endpoint.identification.algorithm = works because everything works fine for
me if this parameter is empty.
If I put it https, I will have problems "_no subject alternative dns name
matching_" with brokers.
*My dns name 1 server:*
[root@zeus1 /home/trofimov-im]# nslookup IP_ADDR
IP_ADDR.in-addr.arpa name = zeus1.bbk.strf.ru.
I removed unnecessary
*cert in truststore:*
Keystore type: jks
Keystore provider: SUN
Your keystore contains 7 entries
Alias name: caroot
Creation date: May 11, 2021
Entry type: trustedCertEntry
Owner: CN=Enterprise CA 2, DC=bbk, DC=strf, DC=ru
Issuer: CN=Root CA, O=bbk, C=RU
*******************************************
*******************************************
Alias name: zeus1.cert
Creation date: May 11, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=zeus1.bbk.strf.ru, OU=SCS, O=BBK of Russia, L=Moscow, ST=Moscow, C=RU
Issuer: CN=Enterprise CA 2, DC=bbk, DC=strf, DC=ru
Serial number: 1d0007b167a6fd474142f6b79f00000007b167
Valid from: Tue Apr 27 19:33:52 MSK 2021 until: Mon Nov 20 14:19:00 MSK 2023
Certificate fingerprints:
MD5: 85:E5:4F:30:A6:A1:0E:A0:8B:7E:70:1C:2B:01:65:BA
SHA1: 84:20:E8:0E:8E:24:EB:E4:93:92:7B:D1:61:3B:75:A9:D8:83:12:DE
SHA256:
E6:3D:4E:BD:93:22:B5:4E:28:5A:78:F6:B8:53:1B:BF:6C:39:3D:FC:EB:CF:F8:62:FC:DA:9B:BE:59:4E:F6:EE
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: scs-kafka.bbk.strf.ru
DNSName: *.scs-kafka.bbk.strf.ru
DNSName: scs-kafka
DNSName: *.scs-kafka
DNSName: zeus1.bbk.strf.ru
DNSName: *.zeus1.bbk.strf.ru
DNSName: zeus1
DNSName: *.zeus1
]
*******************************************
*******************************************
Alias name: zeus2.cert
Creation date: May 11, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=zeus2.bbk.strf.ru, OU=SCS, O=BBK of Russia, L=Moscow, ST=Moscow, C=RU
Issuer: CN=Enterprise CA 2, DC=bbk, DC=strf, DC=ru
Serial number: 1d0007b169e5e4f88b66d2e1ce00000007b169
Valid from: Tue Apr 27 19:35:28 MSK 2021 until: Mon Nov 20 14:19:00 MSK 2023
Certificate fingerprints:
MD5: 98:19:39:A9:DF:73:61:EB:17:30:BB:40:75:16:CE:0A
SHA1: 81:0E:77:60:31:77:FC:5A:5C:E3:5F:45:F5:97:C6:84:F0:7B:DB:B5
SHA256:
8D:89:2D:B0:AA:9B:8E:95:D0:54:42:E9:E2:6D:67:FC:7A:6E:F4:50:58:76:F4:F7:0E:F5:D6:F7:A8:C1:5D:51
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: scs-kafka.bbk.strf.ru
DNSName: *.scs-kafka.bbk.strf.ru
DNSName: scs-kafka
DNSName: *.scs-kafka
DNSName: zeus2.bbk.strf.ru
DNSName: *.zeus2.bbk.strf.ru
DNSName: zeus2
DNSName: *.zeus2
]
*******************************************
*******************************************
*keystore is the same*
*The configuration is like this:*
ssl.keystore.location=/home/kafka/kafka.server.keystore.jks
ssl.keystore.password=password
ssl.key.password= password
ssl.truststore.location=/home/kafka/kafka.server.truststore.jks
ssl.truststore.password= password
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.type=JKS
ssl.truststore.type=JKS
security.inter.broker.protocol=SSL
ssl.client.auth=required
ssl.endpoint.identification.algorithm=
*What's wrong, where to dig?*
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
