Rule #1 and Rule #2 cannot co-exist. You are basically configuring your LB to point to a Kafka broker and you are pointing each Kafka broker to point to a LB. So you need a pair of ports with a security protocol for the connection to work. With two rules, Kafka picks up the wrong LB port for one of the security protocols.
If you want to try without SSL first, the simplest way to try it out would be to disable Rule #1 and change Rule #2 to use port 9093 instead of 9095. Then you should be able to connect using PLAINTEXT (the test that is currently not working). I think you have the configuration: advertised.listeners=PLAINTEXT://mybalancer01.example.com:9093 ,SASL_PLAINTEXT://mykafka01.example.com:9092 And you have a client connecting with PLAINTEXT on mybalancer01:*9095*. The first connection would work, but subsequent connections would use the address provided by Kafka from advertised.listeners. The client will start connecting with PLAINTEXT on mybalancer01:*9093*, which is expecting SSL. If you disable Rule #1 and change Rule #2 to use port 9093, you should be able to test PLAINTEXT without changing Kafka config. On Mon, Nov 21, 2016 at 3:32 PM, Zac Harvey <zac.har...@welltok.com> wrote: > In the last email I should have mentioned: don't pay too much attention to > the code snippet, and after reviewing it, I can see it actually incomplete > (I forgot to include the section where I configure the topics and broker > configs to talk to Kafka!). > > > What I'm really concerned about is that before we added all these SSL > configs, I had plaintext (plaintext:9092 in/out of the load balancer > to/from Kafka) working fine. Now my consumer code can't even connect to the > load balancer/Kafka. > > > So I guess what I was really asking was: does that exception > (ClosedChannelException) indicate bad configs on the Kafka broker? > > ________________________________ > From: Zac Harvey <zac.har...@welltok.com> > Sent: Thursday, November 17, 2016 4:44:06 PM > To: users@kafka.apache.org > Subject: Can Kafka/SSL be terminated at a load balancer? > > We have two Kafka nodes and for reasons outside of this question, would > like to set up a load balancer to terminate SSL with producers (clients). > The SSL cert hosted by the load balancer will be signed by trusted/root CA > that clients should natively trust. > > > Is this possible to do, or does Kafka somehow require SSL to be setup > directly on the Kafka servers themselves? > > > Thanks! > -- Regards, Rajini
