Kafka on SSL not working

Question

I am trying to setup a Kafka broker with SSL support but when I try to put a message on the topic, it goes on Timeout. Here the steps I followed:

openssl req -new -newkey rsa:4096 -days 365 -x509 -subj "/CN=Kafka-Security-CA" -keyout ca-key -out ca-cert -nodes

keytool -genkey -keystore kafka.server.keystore.jks -validity 365 -storepass xxx-keypass xxx -dname "CN=kafka_broker.net" -storetype pkcs12

keytool -keystore kafka.server.keystore.jks -certreq -file cert-file -storepass xxx -keypass xxx

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:xxx

keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert -storepass xxx -keypass xxx -noprompt

keytool -keystore kafka.server.keystore.jks -import -file cert-signed -storepass xxx -keypass xxx -noprompt

keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file ca-cert -storepass xxx -keypass xxx -noprompt

I know that the connection over SSL failed beacause when I do:

/kafka_2.11-1.1.0/bin/kafka-console-producer.sh --broker-list kafka_broker:9092 --topic test --producer.config client.properties
>ewqeq
[2018-07-04 14:53:18,022] ERROR Error when sending message to topic test with key: null, value: 5 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
org.apache.kafka.common.errors.TimeoutException: Failed to update metadata after 60000 ms.

where client.properties is a config file and its content is:

security.protocol=SSL
ssl.truststore.location=./kafka.server.truststore.jks
ssl.truststore.password=xxx

I tried many times but nothing is working. The client where I am trying to connect is in a docker container and also is kafka. They are under the same network and the kafka hostname is kafka_broker that I supplied also to the CN during the keystore creation.

I'd suggest taking a look at this example docker setup https://docs.confluent.io/current/tutorials/cp-demo/docs/index.html#security I'd also suggest after going through that tutorial and maybe adopting the same script provided there, you can also follow the troubleshooting steps down here https://docs.confluent.io/current/tutorials/security_tutorial.html#troubleshooting — dawsaw, Jul 05 '18 at 00:02
Sorry for just links but when you start at docker plus SSL it's tough. I'd also suggest eliminating one of those things and so you're in a scenario with less variables. If you get docker and plain text working or SSL and no docker working, it'll simplify the troubleshooting. — dawsaw, Jul 05 '18 at 00:05
You need to bundle the keystore and truststore jks files inside your docker image. You can take a look at [this](https://stackoverflow.com/questions/42276672/using-apache-kafka-in-ssl-mode) question which I posted a while back, even though it's not docker specific. — Bitswazsky, Jul 05 '18 at 10:30

score 0 · Answer 1 · answered Feb 18 '22 at 01:54

0

try this:

security.protocol=SSL
ssl.truststore.location=file:relativepath/kafka.server.truststore.jks
ssl.truststore.password=xxx`

answered Feb 18 '22 at 01:54

Adri Ak

31
4

Kafka on SSL not working

1 Answers1