windows - Kafka 为 Windows Docker 抛出无效密钥
问题描述
我正在尝试在我的 Windows 10 机器上运行基本的 SSL Docker 设置。我试图让它以 PEM 和 JKS 文件格式运行,但在这两种情况下,私钥都不被接受。我做错了什么以及 PEM 工作必须发生什么?
为了生成证书和密钥,我使用 PowerShell 和以下脚本:
openssl genrsa -out ca.key 2048
openssl req -new -nodes -x509 -key ca.key -out ca.pem -subj '/CN=ca/OU=TEST/O=Org/L=State/C=DE'
openssl genrsa -out certKey2.key 2048
openssl pkcs8 -in certKey2.key -passout "pass:testpw2" -topk8 -v1 PBE-SHA1-3DES -out certKey2-pkcs8.key
openssl req -new -key certKey2.key -out cert2.csr -subj '/CN=cert2/OU=TEST/O=Org/L=State/C=DE'
openssl x509 -req -in cert2.csr -CA ca.pem -CAkey ca.key -set_serial 02 -out cert2.pem
cat certKey2-pkcs8.key > cert2-keypair.pem
cat cert2.pem >> cert2-keypair.pem
openssl pkcs12 -export -in cert2.pem -inkey certKey2.key -name cert2 -out cert2-pkcs12.p12 -passout "pass:testpw2"
keytool -importkeystore -srckeystore cert2-pkcs12.p12 -destkeystore keystore2.jks -srcstoretype pkcs12 -srcstorepass testpw2 -deststorepass testpw2
此外,我正在使用“OpenSSL 1.1.1k 25 Mar 2021”和“openjdk 16.0.1 2021-04-20”。我的 PEM 尝试的 docker compose 版本是:
version: '2'
services:
zookeeper:
image: confluentinc/cp-zookeeper:latest
container_name: zookeeper
volumes:
- ./testCerts:/etc/kafka/secrets
environment:
ZOOKEEPER_CLIENT_PORT: 2181
ZOOKEEPER_TICK_TIME: 2000
kafka1:
image: confluentinc/cp-kafka:latest
depends_on:
- zookeeper
ports:
- 9092:9092
- 9093:9093
hostname: kafka1
container_name: kafka1
volumes:
- ./testCerts:/etc/kafka/secrets
environment:
KAFKA_BROKER_ID: 1
KAFKA_ADVERTISED_LISTENERS: CLEAR://broker:29092,CLEAR_HOST://localhost:9092,TLS://broker:29093,TLS_HOST://localhost:9093
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: CLEAR:PLAINTEXT,CLEAR_HOST:PLAINTEXT,TLS:SSL,TLS_HOST:SSL
KAFKA_INTER_BROKER_LISTENER_NAME: TLS
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
KAFKA_DELETE_TOPIC_ENABLE: 'true'
KAFKA_AUTO_CREATE_TOPICS_ENABLE: 'false'
KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
KAFKA_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/cert2-keypair.pem
KAFKA_SSL_KEY_PASSWORD: testpw2
KAFKA_SSL_KEYSTORE_TYPE: PEM
KAFKA_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/ca.pem
KAFKA_SSL_TRUSTSTORE_TYPE: PEM
KAFKA_SSL_CLIENT_AUTH: "required"
KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: 'true'
KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer
导致错误:
[2021-06-26 09:18:21,158] ERROR [KafkaServer id=1] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.errors.InvalidConfigurationException: Failed to load PEM SSL keystore /etc/kafka/secrets/cert2-keypair.pem
Caused by: org.apache.kafka.common.errors.InvalidConfigurationException: Invalid PEM keystore configs
Caused by: org.apache.kafka.common.errors.InvalidConfigurationException: No matching PRIVATE KEY entries in PEM file
对于 JKS 版本,docker-compose 是:
version: '2'
services:
zookeeper:
image: confluentinc/cp-zookeeper:latest
container_name: zookeeper
volumes:
- ./testCerts:/etc/kafka/secrets
environment:
ZOOKEEPER_CLIENT_PORT: 2181
ZOOKEEPER_TICK_TIME: 2000
kafka1:
image: confluentinc/cp-kafka:latest
depends_on:
- zookeeper
ports:
- 9092:9092
- 9093:9093
hostname: kafka1
container_name: kafka1
volumes:
- ./testCerts:/etc/kafka/secrets
environment:
KAFKA_BROKER_ID: 1
KAFKA_ADVERTISED_LISTENERS: CLEAR://broker:29092,CLEAR_HOST://localhost:9092,TLS://broker:29093,TLS_HOST://localhost:9093
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: CLEAR:PLAINTEXT,CLEAR_HOST:PLAINTEXT,TLS:SSL,TLS_HOST:SSL
KAFKA_INTER_BROKER_LISTENER_NAME: TLS
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
KAFKA_DELETE_TOPIC_ENABLE: 'true'
KAFKA_AUTO_CREATE_TOPICS_ENABLE: 'false'
KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
KAFKA_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/keystore2.jks
KAFKA_SSL_KEYSTORE_PASSWORD: testpw2
KAFKA_SSL_KEY_PASSWORD: testpw2
KAFKA_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/ca.pem
KAFKA_SSL_TRUSTSTORE_TYPE: PEM
KAFKA_SSL_CLIENT_AUTH: "required"
KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: 'true'
KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer
导致错误:
org.apache.kafka.common.KafkaException: Failed to load SSL keystore /etc/kafka/secrets/keystore2.jks of type JKS
at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.load(DefaultSslEngineFactory.java:377)
at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.<init>(DefaultSslEngineFactory.java:349)
at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.createKeystore(DefaultSslEngineFactory.java:299)
at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.configure(DefaultSslEngineFactory.java:161)
at org.apache.kafka.common.security.ssl.SslFactory.instantiateSslEngineFactory(SslFactory.java:136)
at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:93)
at org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:72)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:157)
at org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:97)
at kafka.network.Processor.<init>(SocketServer.scala:790)
at kafka.network.SocketServer.newProcessor(SocketServer.scala:415)
at kafka.network.SocketServer.$anonfun$addDataPlaneProcessors$1(SocketServer.scala:288)
at kafka.network.SocketServer.addDataPlaneProcessors(SocketServer.scala:287)
at kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1(SocketServer.scala:254)
at kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1$adapted(SocketServer.scala:251)
at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:553)
at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:551)
at scala.collection.AbstractIterable.foreach(Iterable.scala:920)
at kafka.network.SocketServer.createDataPlaneAcceptorsAndProcessors(SocketServer.scala:251)
at kafka.network.SocketServer.startup(SocketServer.scala:125)
at kafka.server.KafkaServer.startup(KafkaServer.scala:303)
at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:44)
at kafka.Kafka$.main(Kafka.scala:82)
at kafka.Kafka.main(Kafka.scala)
Caused by: java.io.IOException: Invalid keystore format
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:667)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.load(DefaultSslEngineFactory.java:374)
... 23 more
在这种情况下,我还检查了 JKS 是否已损坏,但似乎不是这样:
keytool -list -keystore keystore2.jks
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
cert2, 26.06.2021, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 1A:45:10:06:D2:8A:64:67:1E:90:63:D3:DF:7F:34:3D:0A:AB:D4:E4:44:A3:B2:33:9E:A1:A9:1C:09:51:AB:6F
解决方案
推荐阅读
- node.js - 更新 mongodb 文档会插入另一个新文档
- java - 公共函数不返回值
- git - git - 不要推送从本地分支合并的提交
- asp.net-mvc - 通过 JavaScript 附加 Html 时未定义的波斯文本
- c# - 从 Angular 应用程序将特殊字符发布到 Web API
- python - 给定使用python的约束,如何将N个数字列表更改为N+1个数字列表
- edx - [course-discovery] 存储库已签出错误
- hive - Hive 连接是否接受相等运算符,例如小于符号
- sql-server - 当我通过 VBA 将空日期时间值传递给 sqlserver 时出现异常
- mongodb - 优化 MongoDB 文档版本控制