Hi everyone, could you please advise how to fix the problem below ?
I'm trying to run Zookeeper with mTLS to authenticate Kafka broker on Zookeeper by SSL certificate. Both Zookeeper and Kafka broker are located on the same server, so I use the same keystore and trustore for them. Here is the error in Kafka server.log when Kafka starts: [2022-07-01 19:16:44,157] DEBUG [id: 0x7b9f05b5, L:/10.76.196.200:53876 - R:smsk01ap437u/10.76.196.200:2182] HANDSHAKEN: protocol:TLSv1.2 cipher suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (io.netty.handler.ssl.SslHandler) [2022-07-01 19:16:44,206] INFO Session establishment complete on server smsk01ap437u/10.76.196.200:2182, session id = 0x100bb14c3bf0000, negotiated timeout = 18000 (org.apache.zookeeper.ClientCnxn) [2022-07-01 19:16:44,210] DEBUG [ZooKeeperClient Kafka server] Received event: WatchedEvent state:SyncConnected type:None path:null (kafka.zookeeper.ZooKeeperClient) [2022-07-01 19:16:44,210] INFO [ZooKeeperClient Kafka server] Connected. (kafka.zookeeper.ZooKeeperClient) [2022-07-01 19:16:44,320] DEBUG Reading reply session id: 0x100bb14c3bf0000, packet:: clientPath:/consumers serverPath:/consumers finished:false header:: 1,1 replyHeader:: 1,77309411356,-110 request:: '/consumers,,v{s{31,s{'world,'anyone}}},0 response:: (org.apache.zookeeper.ClientCnxn) [2022-07-01 19:16:44,346] DEBUG Reading reply session id: 0x100bb14c3bf0000, packet:: clientPath:/brokers/ids serverPath:/brokers/ids finished:false header:: 2,1 replyHeader:: 2,77309411357,-102 request:: '/brokers/ids,,v{s{31,s{'world,'anyone}}},0 response:: (org.apache.zookeeper.ClientCnxn) [2022-07-01 19:16:44,358] ERROR Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer) org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /brokers/ids at org.apache.zookeeper.KeeperException.create(KeeperException.java:120) at org.apache.zookeeper.KeeperException.create(KeeperException.java:54) at kafka.zookeeper.AsyncResponse.maybeThrow(ZooKeeperClient.scala:566) at kafka.zk.KafkaZkClient.createRecursive(KafkaZkClient.scala:1729) at kafka.zk.KafkaZkClient.makeSurePersistentPathExists(KafkaZkClient.scala:1627) at kafka.zk.KafkaZkClient.$anonfun$createTopLevelPaths$1(KafkaZkClient.scala:1619) at kafka.zk.KafkaZkClient.$anonfun$createTopLevelPaths$1$adapted(KafkaZkClient.scala:1619) at scala.collection.immutable.List.foreach(List.scala:333) at kafka.zk.KafkaZkClient.createTopLevelPaths(KafkaZkClient.scala:1619) at kafka.server.KafkaServer.initZkClient(KafkaServer.scala:492) at kafka.server.KafkaServer.startup(KafkaServer.scala:201) at kafka.Kafka$.main(Kafka.scala:109) at kafka.Kafka.main(Kafka.scala) [2022-07-01 19:16:44,359] INFO shutting down (kafka.server.KafkaServer) Here are the configs. Zoo.cfg: secureClientPort=2182 serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory authProvider.x509=org.apache.zookeeper.server.auth.X509AuthenticationProvider ssl.keyStore.location=/app/kafka/certs/server/server.keystore.jks ssl.keyStore.password=Moscow123 ssl.trustStore.location=/app/kafka/certs/server/server.truststore.jks ssl.trustStore.password=Moscow123 server.properties: zookeeper.connect=server_hostname:2182 zookeeper.ssl.client.enable=true zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty zookeeper.ssl.keystore.location=/app/kafka/certs/server/server.keystore.jks zookeeper.ssl.keystore.password=Moscow123 zookeeper.ssl.truststore.location=kafka/certs/server/server.truststore.jks zookeeper.ssl.truststore.password=Moscow123 Best regards, Evgeny ________________________________ This email message (and any attachments) is confidential and may be privileged or otherwise protected from disclosure by applicable law. If you are not the intended recipient or have received this in error please notify the system manager, postmas...@vtbcapital.ru and remove this message and any attachments from your system. Any unauthorized dissemination, copying or other use of this message and/or any attachments is strictly prohibited and may constitute a breach of civil or criminal law. JSC VTB Capital may monitor email traffic data and also the content of email.