时间戳

首页 > 解决方案 > Kafka 为 Windows Docker 抛出无效密钥

windows - Kafka 为 Windows Docker 抛出无效密钥

问题描述

我正在尝试在我的 Windows 10 机器上运行基本的 SSL Docker 设置。我试图让它以 PEM 和 JKS 文件格式运行,但在这两种情况下,私钥都不被接受。我做错了什么以及 PEM 工作必须发生什么?

为了生成证书和密钥,我使用 PowerShell 和以下脚本:

openssl genrsa -out ca.key 2048
openssl req -new -nodes -x509 -key ca.key -out ca.pem -subj '/CN=ca/OU=TEST/O=Org/L=State/C=DE'
openssl genrsa -out certKey2.key 2048
openssl pkcs8 -in certKey2.key -passout "pass:testpw2" -topk8 -v1 PBE-SHA1-3DES -out certKey2-pkcs8.key
openssl req -new -key certKey2.key -out cert2.csr -subj '/CN=cert2/OU=TEST/O=Org/L=State/C=DE'
openssl x509 -req -in cert2.csr -CA ca.pem -CAkey ca.key -set_serial 02 -out cert2.pem
cat certKey2-pkcs8.key > cert2-keypair.pem
cat cert2.pem >> cert2-keypair.pem
openssl pkcs12 -export -in cert2.pem -inkey certKey2.key -name cert2 -out cert2-pkcs12.p12 -passout "pass:testpw2"
keytool -importkeystore -srckeystore cert2-pkcs12.p12 -destkeystore keystore2.jks -srcstoretype pkcs12 -srcstorepass testpw2 -deststorepass testpw2

此外,我正在使用“OpenSSL 1.1.1k 25 Mar 2021”和“openjdk 16.0.1 2021-04-20”。我的 PEM 尝试的 docker compose 版本是:

version: '2'
services:
  zookeeper:
    image: confluentinc/cp-zookeeper:latest
    container_name: zookeeper
    volumes:
      - ./testCerts:/etc/kafka/secrets
    environment:
      ZOOKEEPER_CLIENT_PORT: 2181
      ZOOKEEPER_TICK_TIME: 2000
  kafka1:
    image: confluentinc/cp-kafka:latest
    depends_on:
      - zookeeper
    ports:
      - 9092:9092
      - 9093:9093
    hostname: kafka1
    container_name: kafka1
    volumes:
      - ./testCerts:/etc/kafka/secrets
    environment:
      KAFKA_BROKER_ID: 1
      KAFKA_ADVERTISED_LISTENERS: CLEAR://broker:29092,CLEAR_HOST://localhost:9092,TLS://broker:29093,TLS_HOST://localhost:9093
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: CLEAR:PLAINTEXT,CLEAR_HOST:PLAINTEXT,TLS:SSL,TLS_HOST:SSL
      KAFKA_INTER_BROKER_LISTENER_NAME: TLS 
      
      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
      KAFKA_DELETE_TOPIC_ENABLE: 'true'
      KAFKA_AUTO_CREATE_TOPICS_ENABLE: 'false'
      
      KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181

      KAFKA_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/cert2-keypair.pem
      KAFKA_SSL_KEY_PASSWORD: testpw2
      KAFKA_SSL_KEYSTORE_TYPE: PEM
      
      KAFKA_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/ca.pem
      KAFKA_SSL_TRUSTSTORE_TYPE: PEM
      
      KAFKA_SSL_CLIENT_AUTH: "required"
      KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: 'true'
      KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer

导致错误:

[2021-06-26 09:18:21,158] ERROR [KafkaServer id=1] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.errors.InvalidConfigurationException: Failed to load PEM SSL keystore /etc/kafka/secrets/cert2-keypair.pem
Caused by: org.apache.kafka.common.errors.InvalidConfigurationException: Invalid PEM keystore configs
Caused by: org.apache.kafka.common.errors.InvalidConfigurationException: No matching PRIVATE KEY entries in PEM file

对于 JKS 版本,docker-compose 是:

version: '2'
services:
  zookeeper:
    image: confluentinc/cp-zookeeper:latest
    container_name: zookeeper
    volumes:
      - ./testCerts:/etc/kafka/secrets
    environment:
      ZOOKEEPER_CLIENT_PORT: 2181
      ZOOKEEPER_TICK_TIME: 2000
  kafka1:
    image: confluentinc/cp-kafka:latest
    depends_on:
      - zookeeper
    ports:
      - 9092:9092
      - 9093:9093
    hostname: kafka1
    container_name: kafka1
    volumes:
      - ./testCerts:/etc/kafka/secrets
    environment:
      KAFKA_BROKER_ID: 1
      KAFKA_ADVERTISED_LISTENERS: CLEAR://broker:29092,CLEAR_HOST://localhost:9092,TLS://broker:29093,TLS_HOST://localhost:9093
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: CLEAR:PLAINTEXT,CLEAR_HOST:PLAINTEXT,TLS:SSL,TLS_HOST:SSL
      KAFKA_INTER_BROKER_LISTENER_NAME: TLS 
      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
      KAFKA_DELETE_TOPIC_ENABLE: 'true'
      KAFKA_AUTO_CREATE_TOPICS_ENABLE: 'false'
      KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
      KAFKA_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/keystore2.jks
      KAFKA_SSL_KEYSTORE_PASSWORD: testpw2
      KAFKA_SSL_KEY_PASSWORD: testpw2      
      KAFKA_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/ca.pem
      KAFKA_SSL_TRUSTSTORE_TYPE: PEM
      KAFKA_SSL_CLIENT_AUTH: "required"
      KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: 'true'
      KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer

导致错误:

org.apache.kafka.common.KafkaException: Failed to load SSL keystore /etc/kafka/secrets/keystore2.jks of type JKS
    at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.load(DefaultSslEngineFactory.java:377)
    at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.<init>(DefaultSslEngineFactory.java:349)
    at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.createKeystore(DefaultSslEngineFactory.java:299)
    at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.configure(DefaultSslEngineFactory.java:161)
    at org.apache.kafka.common.security.ssl.SslFactory.instantiateSslEngineFactory(SslFactory.java:136)
    at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:93)
    at org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:72)
    at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:157)
    at org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:97)
    at kafka.network.Processor.<init>(SocketServer.scala:790)
    at kafka.network.SocketServer.newProcessor(SocketServer.scala:415)
    at kafka.network.SocketServer.$anonfun$addDataPlaneProcessors$1(SocketServer.scala:288)
    at kafka.network.SocketServer.addDataPlaneProcessors(SocketServer.scala:287)
    at kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1(SocketServer.scala:254)
    at kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1$adapted(SocketServer.scala:251)
    at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:553)
    at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:551)
    at scala.collection.AbstractIterable.foreach(Iterable.scala:920)
    at kafka.network.SocketServer.createDataPlaneAcceptorsAndProcessors(SocketServer.scala:251)
    at kafka.network.SocketServer.startup(SocketServer.scala:125)
    at kafka.server.KafkaServer.startup(KafkaServer.scala:303)
    at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:44)
    at kafka.Kafka$.main(Kafka.scala:82)
    at kafka.Kafka.main(Kafka.scala)
Caused by: java.io.IOException: Invalid keystore format
    at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:667)
    at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
    at java.base/java.security.KeyStore.load(KeyStore.java:1479)
    at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.load(DefaultSslEngineFactory.java:374)
    ... 23 more

在这种情况下,我还检查了 JKS 是否已损坏,但似乎不是这样:

keytool -list -keystore keystore2.jks
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

cert2, 26.06.2021, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 1A:45:10:06:D2:8A:64:67:1E:90:63:D3:DF:7F:34:3D:0A:AB:D4:E4:44:A3:B2:33:9E:A1:A9:1C:09:51:AB:6F

标签: windowssslapache-kafkadocker-compose

解决方案

推荐阅读