【问题标题】:kafka strimzi use my own certificate Kubernetes [closed]kafka srimzi 使用我自己的证书 Kubernetes [关闭]
【发布时间】:2021-08-21 20:25:59
【问题描述】:

我正在尝试设置使用我的 GoDaddy 证书作为 Kafka 的侦听器。使用这篇文章https://strimzi.io/docs/operators/in-development/using.html#kafka-listener-certificates-str

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: es-kafka-cluster
spec:
  kafka:
    version: 2.7.0
    replicas: 2
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true
      - name: external
        port: 9094
        type: loadbalancer
        tls: true
        authentication:
          type: tls
        configuration:  
          brokerCertChainAndKey:
            secretName: es-tls-certificate
            certificate: certificate.crt
            key: certificate.key
    authorization:
      type: simple
    config:
      offsets.topic.replication.factor: 1
      transaction.state.log.replication.factor: 1
      transaction.state.log.min.isr: 1
      log.message.format.version: "2.7"
    storage:
      type: ephemeral
  zookeeper:
    replicas: 2
    storage:
      type: ephemeral
  entityOperator:
    userOperator: {}
    topicOperator: {}

我正在发送证书检查 openssl s_client -connect MY_IP:9094 -servername MY_IP

返回我的正确证书。 但是当我尝试执行命令时出现错误

 kafkacat -C -b MY_IP:9094 -X security.protocol=ssl -t schedules
% ERROR: Failed to query metadata for topic schedules: Local: Timed out

来自 Kafka 的日志

(SSL handshake failed) (org.apache.kafka.common.network.Selector) [data-plane-kafka-network-thread-0-ListenerName(EXTERNAL-9094)-SSL-12

【问题讨论】:

    标签: azure kubernetes apache-kafka kafka-consumer-api strimzi


    【解决方案1】:
        authentication:
          type: tls
    

    身份验证 TLS 似乎表明您的客户端需要使用 mtls 进行身份验证,请尝试以下命令并发布和更新

    kafkacat -b MY_IP:9094
    -X security.protocol=SSL -X ssl.key.location=private_key.pem -X ssl.key.password=my_key_password
    -X ssl.certificate.location=signed_cert.pem.txt
    -X ssl.ca.location=ca_cert.pem -L

    或者去掉认证子句

    并添加到 kafkacat

    -X ssl.ca.location=ca_cert.pem

    【讨论】:

    • 感谢您的回答)我收到一个错误invalid type for io.strimzi.kafka.v1beta2.Kafka.spec.kafka.listeners.authentication: got "string", expected "map"; if you choose to ignore these errors, turn validation off with validate=false
    • 尝试完全删除身份验证部分,会发生什么?
    • 感谢 Kubernetes 中的部署。现在我在我的测试 Linux 机器 kafkacat -C -b IP:9094 -X security.protocol=ssl -t schedules % ERROR: Topic schedules error: Broker: Topic authorization failed 中遇到错误
    • 并从我的应用程序 sasl_ssl://IP:9094/bootstrap:SSL 握手失败:错误:14090086:SSL 例程:ssl3_get_server_certificate:certificate verify failed:无法验证代理证书,请验证 ssl。 ca.location 已正确配置或安装了根 CA 证书(将代理的 CA 证书添加到 Windows 根证书存储区)
    • -X ssl.ca.location=ca_cert.pem
    猜你喜欢
    • 2020-07-20
    • 1970-01-01
    • 2019-09-28
    • 2017-03-11
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2019-11-22
    • 2018-11-05
    相关资源
    最近更新 更多