Hi! I'm experimenting with setting up a log ingesting cluster and Kafka would be part of it. Unfortunately, I can't get the first broker started. I need to secure the communication between a dozen nodes and Kafka would only be one part of it. I have a secured node where I generate certificates for every server in the cluster (with an intermediate CA). AFAIK, I need to use '.jks' files for Kafka, so I've generated a '.p12' file from the openssl certificate and key then used `keytool` to generate a keystore: `keytool -importkeystore -srckeystore kafka-1.p12 -srcstoretype PKCS12 -alias kafka-1 -destkeystore kafka-1.jks` I generated a truststore for the root and intermediate chain as well: `keytool -importcert -alias ca-root -keystore truststore.jks -file ca-chain.cert.pem
Relevant part of the 'server.properties' configuration: #### listeners=EXTERNAL://kafka-1:9092,INTERNAL://kafka-1:9093 advertised.listeners=EXTERNAL://kafka-1:9092,INTERNAL://kafka-1:9093 inter.broker.listener.name=INTERNAL listener.security.protocol.map=EXTERNAL:SSL,INTERNAL:SSL security.protocol=SSL ssl.client.auth=required ssl.truststore.location=/*******/truststore.jks ssl.truststore.password=************* ssl.keystore.location=/*******/kafka-1.jks ssl.keystore.password=************* #### After starting Kafka (as a service) I get the the following in the 'server.log': >>... >> INFO [KafkaServer id=1001] started (kafka.server.KafkaServer) >> INFO [SocketServer brokerId=1001] Failed authentication with /XXX.XXX.XXX.XXX (SSL handshake failed) (org.apache.kafka.common.network.Selector) >> INFO [Controller id=1001, targetBrokerId=1001] Failed authentication with kafka-1/XXX.XXX.XXX.XXX (SSL handshake failed) (org.apache.kafka.common.network.Selector) >> ERROR [Controller id=1001, targetBrokerId=1001] Connection to node 1001 (kafka-1/XXX.XXX.XXX.XXX:9093) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient) >>... >> WARN SSL handshake failed (kafka.utils.CoreUtils$) >> org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed >> Caused by: javax.net.ssl.SSLProtocolException: Unexpected handshake message: server_hello >>... I couldn't find any lead with that error message and got stuck. Any ideas what that error message means and how to solve it? Specs: - Ubuntu 18.04.3 LTS - OpenJDK Runtime Environment (build 11.0.4+11-post-Ubuntu-1ubuntu218.04.3) - Kafka 2.2.1 (from kafka_2.12-2.2.1.tgz) - OpenSSL 1.1.1 Thank you! Peter
