我有一个3节点的Kafka集群(版本0.10.1.0)。我已按照kafka安全性文档中的步骤进行操作。这是我的一台Kafka服务器的相关配置。
listeners=SSL://myhostname:9093
security.inter.broker.protocol=SSL
advertised.listeners=SSL://myhostname:9093
# In order to enable hostname verification
ssl.endpoint.identification.algorithm=HTTPS
ssl.client.auth=required
# certificate file locations
ssl.keystore.location=/location/server1.keystore.jks
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.truststore.location=/location/server.truststore.jks
ssl.truststore.password=changeit
# Supported TLS versions
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
我为我所有的Kafka服务器定义了3个不同的密钥库,并使用相同的CA对其进行了签名。当我启动Kafka服务器时,控制器日志会不断记录以下警告日志。
WARN [Controller-0-to-broker-2-send-thread], Controller 0's connection to broker host3:9093 (id: 2 rack: null) was unsuccessful (kafka.controller.RequestSendThread)
java.io.IOException: Connection to host3:9093 (id: 2 rack: null) failed
at kafka.utils.NetworkClientBlockingOps$.awaitReady$1(NetworkClientBlockingOps.scala:83)
at kafka.utils.NetworkClientBlockingOps$.blockingReady$extension(NetworkClientBlockingOps.scala:93)
at kafka.controller.RequestSendThread.brokerReady(ControllerChannelManager.scala:230)
at kafka.controller.RequestSendThread.liftedTree1$1(ControllerChannelManager.scala:182)
at kafka.controller.RequestSendThread.doWork(ControllerChannelManager.scala:181)
at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:63)
WARN [Controller-0-to-broker-0-send-thread], Controller 0's connection to broker host1:9093 (id: 0 rack: null) was unsuccessful (kafka.controller.RequestSendThread)
java.io.IOException: Connection to host1:9093 (id: 0 rack: null) failed
at kafka.utils.NetworkClientBlockingOps$.awaitReady$1(NetworkClientBlockingOps.scala:83)
at kafka.utils.NetworkClientBlockingOps$.blockingReady$extension(NetworkClientBlockingOps.scala:93)
at kafka.controller.RequestSendThread.brokerReady(ControllerChannelManager.scala:230)
at kafka.controller.RequestSendThread.liftedTree1$1(ControllerChannelManager.scala:182)
at kafka.controller.RequestSendThread.doWork(ControllerChannelManager.scala:181)
at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:63)
WARN [Controller-0-to-broker-1-send-thread], Controller 0's connection to broker host2:9093 (id: 1 rack: null) was unsuccessful (kafka.controller.RequestSendThread)
java.io.IOException: Connection to host2:9093 (id: 1 rack: null) failed
at kafka.utils.NetworkClientBlockingOps$.awaitReady$1(NetworkClientBlockingOps.scala:83)
at kafka.utils.NetworkClientBlockingOps$.blockingReady$extension(NetworkClientBlockingOps.scala:93)
at kafka.controller.RequestSendThread.brokerReady(ControllerChannelManager.scala:230)
at kafka.controller.RequestSendThread.liftedTree1$1(ControllerChannelManager.scala:182)
at kafka.controller.RequestSendThread.doWork(ControllerChannelManager.scala:181)
at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:63)
在我看来,这比警告要严重。
您知道可能是什么问题吗?
提前致谢。
我发现了问题,它与证书创建有关。请参阅Confluent 的文档,它说:
确保公用名 (CN) 与服务器的完全限定域名 (FQDN) 完全匹配。客户端将 CN 与 DNS 域名进行比较,以确保它确实连接到所需的服务器,而不是恶意服务器。
我重新生成证书并且它起作用了!
| 归档时间: |
|
| 查看次数: |
8133 次 |
| 最近记录: |