Hi everyone,
could you please advise how to fix the problem below ?
I'm trying to run Zookeeper with mTLS to authenticate Kafka broker on Zookeeper
by SSL certificate.
Both Zookeeper and Kafka broker are located on the same server, so I use the
same keystore and trustore for them.
Here is the error in Kafka server.log when Kafka starts:
[2022-07-01 19:16:44,157] DEBUG [id: 0x7b9f05b5, L:/10.76.196.200:53876 -
R:smsk01ap437u/10.76.196.200:2182] HANDSHAKEN: protocol:TLSv1.2 cipher
suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (io.netty.handler.ssl.SslHandler)
[2022-07-01 19:16:44,206] INFO Session establishment complete on server
smsk01ap437u/10.76.196.200:2182, session id = 0x100bb14c3bf0000, negotiated
timeout = 18000 (org.apache.zookeeper.ClientCnxn)
[2022-07-01 19:16:44,210] DEBUG [ZooKeeperClient Kafka server] Received event:
WatchedEvent state:SyncConnected type:None path:null
(kafka.zookeeper.ZooKeeperClient)
[2022-07-01 19:16:44,210] INFO [ZooKeeperClient Kafka server] Connected.
(kafka.zookeeper.ZooKeeperClient)
[2022-07-01 19:16:44,320] DEBUG Reading reply session id: 0x100bb14c3bf0000,
packet:: clientPath:/consumers serverPath:/consumers finished:false header::
1,1 replyHeader:: 1,77309411356,-110 request::
'/consumers,,v{s{31,s{'world,'anyone}}},0 response::
(org.apache.zookeeper.ClientCnxn)
[2022-07-01 19:16:44,346] DEBUG Reading reply session id: 0x100bb14c3bf0000,
packet:: clientPath:/brokers/ids serverPath:/brokers/ids finished:false
header:: 2,1 replyHeader:: 2,77309411357,-102 request::
'/brokers/ids,,v{s{31,s{'world,'anyone}}},0 response::
(org.apache.zookeeper.ClientCnxn)
[2022-07-01 19:16:44,358] ERROR Fatal error during KafkaServer startup. Prepare
to shutdown (kafka.server.KafkaServer)
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth
for /brokers/ids
at org.apache.zookeeper.KeeperException.create(KeeperException.java:120)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:54)
at kafka.zookeeper.AsyncResponse.maybeThrow(ZooKeeperClient.scala:566)
at kafka.zk.KafkaZkClient.createRecursive(KafkaZkClient.scala:1729)
at
kafka.zk.KafkaZkClient.makeSurePersistentPathExists(KafkaZkClient.scala:1627)
at
kafka.zk.KafkaZkClient.$anonfun$createTopLevelPaths$1(KafkaZkClient.scala:1619)
at
kafka.zk.KafkaZkClient.$anonfun$createTopLevelPaths$1$adapted(KafkaZkClient.scala:1619)
at scala.collection.immutable.List.foreach(List.scala:333)
at kafka.zk.KafkaZkClient.createTopLevelPaths(KafkaZkClient.scala:1619)
at kafka.server.KafkaServer.initZkClient(KafkaServer.scala:492)
at kafka.server.KafkaServer.startup(KafkaServer.scala:201)
at kafka.Kafka$.main(Kafka.scala:109)
at kafka.Kafka.main(Kafka.scala)
[2022-07-01 19:16:44,359] INFO shutting down (kafka.server.KafkaServer)
Here are the configs.
Zoo.cfg:
secureClientPort=2182
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
authProvider.x509=org.apache.zookeeper.server.auth.X509AuthenticationProvider
ssl.keyStore.location=/app/kafka/certs/server/server.keystore.jks
ssl.keyStore.password=Moscow123
ssl.trustStore.location=/app/kafka/certs/server/server.truststore.jks
ssl.trustStore.password=Moscow123
server.properties:
zookeeper.connect=server_hostname:2182
zookeeper.ssl.client.enable=true
zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
zookeeper.ssl.keystore.location=/app/kafka/certs/server/server.keystore.jks
zookeeper.ssl.keystore.password=Moscow123
zookeeper.ssl.truststore.location=kafka/certs/server/server.truststore.jks
zookeeper.ssl.truststore.password=Moscow123
Best regards,
Evgeny
________________________________
This email message (and any attachments) is confidential and may be privileged
or otherwise protected from disclosure by applicable law. If you are not the
intended recipient or have received this in error please notify the system
manager, [email protected] and remove this message and any attachments
from your system. Any unauthorized dissemination, copying or other use of this
message and/or any attachments is strictly prohibited and may constitute a
breach of civil or criminal law.
JSC VTB Capital may monitor email traffic data and also the content of email.
