[jira] [Comment Edited] (KAFKA-12228) Invalid value javax.net.ssl.SSLHandshakeException: no cipher suites in common for configuration

Alexey Kashavkin (Jira) Sat, 23 Jan 2021 13:01:08 -0800


    [ 
https://issues.apache.org/jira/browse/KAFKA-12228?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17270755#comment-17270755
 ]


Alexey Kashavkin edited comment on KAFKA-12228 at 1/23/21, 9:00 PM:
--------------------------------------------------------------------

I switched to different Oracle JDK versions, but no effect. I also tried to set 
certificate with options:
{code:java}
ssl.keystore.type=PEM
ssl.keystore.location=/opt/kafka/certs/certificate.pem
ssl.key.password=null{code}
And I got а new error:
{code:bash}
[2021-01-23 20:33:21,552] ERROR [KafkaServer id=0] Fatal error during 
KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.errors.InvalidConfigurationException: Failed to load 
PEM SSL keystore /opt/kafka/certs/certificate.pem
Caused by: org.apache.kafka.common.errors.InvalidConfigurationException: 
Invalid PEM keystore configs
Caused by: java.io.IOException: overrun, bytes = 111
        at 
javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:92)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$PemStore.privateKey(DefaultSslEngineFactory.java:512)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$PemStore.createKeyStoreFromPem(DefaultSslEngineFactory.java:462)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$PemStore.<init>(DefaultSslEngineFactory.java:435)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedPemStore.load(DefaultSslEngineFactory.java:412)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.<init>(DefaultSslEngineFactory.java:349)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedPemStore.<init>(DefaultSslEngineFactory.java:405)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.createKeystore(DefaultSslEngineFactory.java:293)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.configure(DefaultSslEngineFactory.java:161)
        at 
org.apache.kafka.common.security.ssl.SslFactory.instantiateSslEngineFactory(SslFactory.java:136)
        at 
org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:93)
        at 
org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:72)
        at 
org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:157)
        at 
org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:97)
        at kafka.network.Processor.<init>(SocketServer.scala:790)
        at kafka.network.SocketServer.newProcessor(SocketServer.scala:415)
        at 
kafka.network.SocketServer.$anonfun$addDataPlaneProcessors$1(SocketServer.scala:288)
        at 
kafka.network.SocketServer.addDataPlaneProcessors(SocketServer.scala:287)
        at 
kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1(SocketServer.scala:254)
        at 
kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1$adapted(SocketServer.scala:251)
        at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:553)
        at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:551)
        at scala.collection.AbstractIterable.foreach(Iterable.scala:920)
        at 
kafka.network.SocketServer.createDataPlaneAcceptorsAndProcessors(SocketServer.scala:251)
        at kafka.network.SocketServer.startup(SocketServer.scala:125)
        at kafka.server.KafkaServer.startup(KafkaServer.scala:303)
        at 
kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:44)
        at kafka.Kafka$.main(Kafka.scala:82)
        at kafka.Kafka.main(Kafka.scala)
[2021-01-23 20:33:21,557] INFO [KafkaServer id=0] shutting down 
(kafka.server.KafkaServer)
{code}
But if convert this certificate to jks:
{code:bash}
openssl pkcs12 -export -in certificate.pem -out certificate.p12
keytool -importkeystore -srckeystore certificate.p12 -srcstoretype pkcs12 
-destkeystore certificate.jks

echo 'ssl.keystore.location=/opt/kafka/certs/certificate.jks' 
>>server.properties
echo 'ssl.keystore.password=password' >>server.properties
{code}
Broker works correctly.


was (Author: alexey.kashavkin):
I switched to different Oracle JDK versions, but no effect. I also tried to set 
certificate with options:
{code:java}
ssl.keystore.type=PEM
ssl.keystore.location=/opt/kafka/certs/certificate.pem
ssl.key.password=null{code}
And I got а new error:
{code:bash}
[2021-01-23 20:33:21,552] ERROR [KafkaServer id=0] Fatal error during 
KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.errors.InvalidConfigurationException: Failed to load 
PEM SSL keystore /opt/kafka/certs/certificate.pem
Caused by: org.apache.kafka.common.errors.InvalidConfigurationException: 
Invalid PEM keystore configs
Caused by: java.io.IOException: overrun, bytes = 111
        at 
javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:92)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$PemStore.privateKey(DefaultSslEngineFactory.java:512)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$PemStore.createKeyStoreFromPem(DefaultSslEngineFactory.java:462)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$PemStore.<init>(DefaultSslEngineFactory.java:435)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedPemStore.load(DefaultSslEngineFactory.java:412)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.<init>(DefaultSslEngineFactory.java:349)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedPemStore.<init>(DefaultSslEngineFactory.java:405)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.createKeystore(DefaultSslEngineFactory.java:293)
        at 
org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.configure(DefaultSslEngineFactory.java:161)
        at 
org.apache.kafka.common.security.ssl.SslFactory.instantiateSslEngineFactory(SslFactory.java:136)
        at 
org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:93)
        at 
org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:72)
        at 
org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:157)
        at 
org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:97)
        at kafka.network.Processor.<init>(SocketServer.scala:790)
        at kafka.network.SocketServer.newProcessor(SocketServer.scala:415)
        at 
kafka.network.SocketServer.$anonfun$addDataPlaneProcessors$1(SocketServer.scala:288)
        at 
kafka.network.SocketServer.addDataPlaneProcessors(SocketServer.scala:287)
        at 
kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1(SocketServer.scala:254)
        at 
kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1$adapted(SocketServer.scala:251)
        at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:553)
        at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:551)
        at scala.collection.AbstractIterable.foreach(Iterable.scala:920)
        at 
kafka.network.SocketServer.createDataPlaneAcceptorsAndProcessors(SocketServer.scala:251)
        at kafka.network.SocketServer.startup(SocketServer.scala:125)
        at kafka.server.KafkaServer.startup(KafkaServer.scala:303)
        at 
kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:44)
        at kafka.Kafka$.main(Kafka.scala:82)
        at kafka.Kafka.main(Kafka.scala)
[2021-01-23 20:33:21,557] INFO [KafkaServer id=0] shutting down 
(kafka.server.KafkaServer)
{code}

> Invalid value javax.net.ssl.SSLHandshakeException: no cipher suites in common 
> for configuration
> -----------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-12228
>                 URL: https://issues.apache.org/jira/browse/KAFKA-12228
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients
>    Affects Versions: 2.7.0
>            Reporter: Alexey Kashavkin
>            Priority: Major
>         Attachments: kafka.log
>
>
> I found that Kafka 2.7.0 supports PEM certificates and I decided to try 
> setting up the broker with DigiCert SSL certificate. I used new options and I 
> did everything like in example in 
> [KIP-651|https://cwiki.apache.org/confluence/display/KAFKA/KIP-651+-+Support+PEM+format+for+SSL+certificates+and+private+key].
>  But I get the error:
> {code:bash}
> [2021-01-20 17:54:55,787] ERROR [KafkaServer id=0] Fatal error during 
> KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
> org.apache.kafka.common.config.ConfigException: Invalid value 
> javax.net.ssl.SSLHandshakeException: no cipher suites in common for 
> configuration A client SSLEngine created with the provided settings can't 
> connect to a server SSLEngine created with those settings.
>         at 
> org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:98)
>         at 
> org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:72)
>         at 
> org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:157)
>         at 
> org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:97)
>         at kafka.network.Processor.<init>(SocketServer.scala:790)
>         at kafka.network.SocketServer.newProcessor(SocketServer.scala:415)
>         at 
> kafka.network.SocketServer.$anonfun$addDataPlaneProcessors$1(SocketServer.scala:288)
>         at 
> kafka.network.SocketServer.addDataPlaneProcessors(SocketServer.scala:287)
>         at 
> kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1(SocketServer.scala:254)
>         at 
> kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1$adapted(SocketServer.scala:251)
>         at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:553)
>         at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:551)
>         at scala.collection.AbstractIterable.foreach(Iterable.scala:920)
>         at 
> kafka.network.SocketServer.createDataPlaneAcceptorsAndProcessors(SocketServer.scala:251)
>         at kafka.network.SocketServer.startup(SocketServer.scala:125)
>         at kafka.server.KafkaServer.startup(KafkaServer.scala:303)
>         at 
> kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:44)
>         at kafka.Kafka$.main(Kafka.scala:82)
>         at kafka.Kafka.main(Kafka.scala)
> {code}
> Java is used:
> {code:bash}
> openjdk version "1.8.0_272"
> OpenJDK Runtime Environment (build 1.8.0_272-b10)
> OpenJDK 64-Bit Server VM (build 25.272-b10, mixed mode)
> {code}
> OS is Centos 7.8.2003
> _openssl x509 -in certificate.pem -text :_
> {code:java}
> Certificate:
>     ...
>     Signature Algorithm: ecdsa-with-SHA384
>         ...
>         Subject Public Key Info:
>             Public Key Algorithm: id-ecPublicKey
>                 Public-Key: (256 bit)
> {code}
> Log is attached.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (KAFKA-12228) Invalid value javax.net.ssl.SSLHandshakeException: no cipher suites in common for configuration

Reply via email to