Dear
Please find this below error org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197) at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165) at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) at org.apache.kafka.common.network.SslTransportLayer.handshakeWrap(SslTransportLayer.java:448) at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:313) at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265) at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:170) at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:536) at org.apache.kafka.common.network.Selector.poll(Selector.java:472) at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:535) at org.apache.kafka.clients.NetworkClientUtils.awaitReady(NetworkClientUtils.java:74) at kafka.server.ReplicaFetcherBlockingSend.sendRequest(ReplicaFetcherBlockingSend.scala:95) at kafka.server.ReplicaFetcherThread.fetchFromLeader(ReplicaFetcherThread.scala:193) at kafka.server.AbstractFetcherThread.processFetchRequest(AbstractFetcherThread.scala:280) at kafka.server.AbstractFetcherThread.$anonfun$maybeFetch$3(AbstractFetcherThread.scala:132) at kafka.server.AbstractFetcherThread.$anonfun$maybeFetch$3$adapted(AbstractFetcherThread.scala:131) at scala.Option.foreach(Option.scala:274) at kafka.server.AbstractFetcherThread.maybeFetch(AbstractFetcherThread.scala:131) at kafka.server.AbstractFetcherThread.doWork(AbstractFetcherThread.scala:113) at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:82) Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:402) at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:484) at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:340) ... 15 more Caused by: java.security.cert.CertificateException: Unknown identification algorithm: " " at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:462) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626) ... 24 more [2019-05-03 06:36:23,840] INFO [ReplicaFetcher replicaId=0, leaderId=2, fetcherId=0] Failed authentication with /192.168.175.130 (SSL handshake failed) (org.apache.kafka.common.network.Selector) [2019-05-03 06:36:23,842] ERROR [ReplicaFetcher replicaId=0, leaderId=2, fetcherId=0] Connection to node 2 (/192.168.175.130:9092) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient) Sent from Outlook<http://aka.ms/weboutlook> ________________________________ From: Harper Henn <harper.h...@datto.com> Sent: 03 May 2019 21:35 To: users@kafka.apache.org Subject: Re: Required guidelines for kafka upgrade What specific errors are you seeing in the server logs of the broker you upgraded (can you copy/paste them)? On Fri, May 3, 2019 at 7:29 AM ASHOK MACHERLA <iash...@outlook.com> wrote: > *Dear Senthil* > > As you suggested , I follow but I’m facing errors > > This is my old configurations which is Kafka (0.10.1) version > > ***************************************************************** > > broker.id=0 > > port=9092 > > delete.topic.enable=true > > message.max.bytes=100000 > > listeners=SSL://192.168.175.128:9092 > > advertised.listeners=SSL://192.168.175.128:9092 > > num.network.threads=3 > > num.io.threads=8 > > socket.send.buffer.bytes=102400 > > socket.receive.buffer.bytes=102400 > > socket.request.max.bytes=104857600 > > log.dirs=/opt/kafka/kafka-logs > > num.partitions=3 > > default.replication.factor=3 > > auto.topic.creation.enable=false > > num.recovery.threads.per.data.dir=1 > > log.retention.hours=168 > > log.segment.bytes=1073741824 > > log.retention.check.interval.ms=300000 > > ssl.keystore.location=/opt/kafka/certificate/kafka.keystore.jks > > ssl.keystore.password=Sbi#123 > > ssl.key.password=Sbi#123 > > ssl.truststore.location=/opt/kafka/certificate/kafka.truststore.jks > > ssl.truststore.password=Sbi#123 > > security.inter.broker.protocol=SSL > > zookeeper.connect=192.168.175.128:2181,192.168.175.129:2181, > 192.168.175.130:2181 > > zookeeper.connection.timeout.ms=6000 > > ***************************************************************** > > After that i added three parameters into server.properties which is *new > kafka version (2.2.0)* > > inter.broker.protocol.version=0.10.1 > > log.message.format.version=0.10.1 > > ssl.endpoint.identification.algorithm="" > > After that I stopped one Kafka node, and then I started new Kafka (2.2.0) > version in same node. > > in this port is opening , it's showing 9092 port number > > but getting errors due to SSL issues > > I this position first node is running with new version (2.2.0) and > remaining two nodes are running with previous version (0.10.1) > > I checked topic describe command on second node, here ISR is not syncing > with new version, > > it's showing only 1,2, here "0" is missing it means first nodes was not > syncing with remaining nodes, > > it’s should show like 0,1,2. > > Please help Senthil > > I tried so many options like below , > > ssl.endpoint.identification.algorithm="" > > ssl.endpoint.identification.algorithm=" " > > ssl.endpoint.identification.algorithm="none" > > ssl.endpoint.identification.algorithm="null" > > ssl.endpoint.identification.algorithm=null > > ssl.endpoint.identification.algorithm=https > > please tell what correct value I should mention, and port is is showing > but why it's ISR showing only 1,2 instead of 0,1,2 > > is there any firewall settings problems? > > Please help us to fix this Senthil > > thanks > > > Sent from Outlook <http://aka.ms/weboutlook> > ------------------------------ > *From:* ASHOK MACHERLA <iash...@outlook.com> > *Sent:* 02 May 2019 13:28 > *To:* users@kafka.apache.org > *Subject:* Re: Required guidelines for kafka upgrade > > OK Senthil > > Thanks for your support and cooperation > > Sent from Outlook >