Diagnose failed authentication

mmacphail · 22 December 2021 14:28

Hello all

I’m getting an error on my Kafka cluster in server.log.
The error is the following:

[2021-12-22 14:23:38,084] INFO [SocketServer brokerId=1] Failed authentication with /<node_ip> (SSL handshake failed) (org.apache.kafka.common.network.Selector)

This errors happens on each node, every few seconds, and on each message the IP in the message is the kafka broker IP.

I was wondering how do you debug these kind of issues ?
I’ve been TCP dumping the Kafka service port and I think (but I’m not certain) the problem is caused by a missconfiguration of Kafka (it’s not related to an external client, but Kafka itself).
I use SSL only for transport and no authorization at all.

I tried to set the log to trace but either I have failed or it didn’t show me anything new.

So what’s your secret to handle this case ? How would you go about it ?

I’m not especially looking for answers on this specific problem but more on learning how to debug this situation.

mmuehlbeyer · 23 December 2021 06:24

Hi @mmacphail

are you using a self signed cert?
and how does your config look like?

Best,
Michael

mmacphail · 23 December 2021 08:46

Hi @mmuehlbeyer,

Certs were delivered by my organisation. I tested them individually and they work fine.

My config is the following:

# Maintained by Ansible
advertised.listeners=INTERNAL://<url>:9092,BROKER://<url>:9091
broker.id=1
confluent.balancer.topic.replication.factor=3
confluent.license.topic=_confluent-license
confluent.license.topic.replication.factor=3
confluent.metadata.topic.replication.factor=3
confluent.schema.registry.url=https://<url>:8081,https://<url>:8081
confluent.security.event.logger.exporter.kafka.topic.replicas=3
confluent.ssl.key.password=<pass>
confluent.ssl.keystore.location=/var/ssl/private/kafka_broker.keystore.jks
confluent.ssl.keystore.password=<pass>
confluent.ssl.truststore.location=/var/ssl/private/kafka_broker.truststore.jks
confluent.ssl.truststore.password=<pass>
confluent.support.customer.id=anonymous
confluent.support.metrics.enable=true
default.replication.factor=3
group.initial.rebalance.delay.ms=3000
inter.broker.listener.name=BROKER
kafka.rest.enable=false
listener.name.broker.ssl.key.password=<pass>
listener.name.broker.ssl.keystore.location=/var/ssl/private/kafka_broker.keystore.jks
listener.name.broker.ssl.keystore.password=<pass>
listener.name.broker.ssl.truststore.location=/var/ssl/private/kafka_broker.truststore.jks
listener.name.broker.ssl.truststore.password=<pass>
listener.name.internal.ssl.key.password=<pass>
listener.name.internal.ssl.keystore.location=/var/ssl/private/kafka_broker.keystore.jks
listener.name.internal.ssl.keystore.password=<pass>
listener.name.internal.ssl.truststore.location=/var/ssl/private/kafka_broker.truststore.jks
listener.name.internal.ssl.truststore.password=<pass>
listener.security.protocol.map=INTERNAL:SSL,BROKER:SSL
listeners=INTERNAL://:9092,BROKER://:9091
log.dirs=/opt/kafka_data/data
log.retention.check.interval.ms=300000
log.retention.hours=168
log.segment.bytes=1073741824
min.insync.replicas=2
num.io.threads=16
num.network.threads=8
num.partitions=1
num.recovery.threads.per.data.dir=2
offsets.topic.replication.factor=3
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
socket.send.buffer.bytes=102400
transaction.state.log.min.isr=2
transaction.state.log.replication.factor=3
zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
zookeeper.connect=<url>:2182,<url>:2182,<url>:2182
zookeeper.connection.timeout.ms=18000
zookeeper.ssl.client.enable=true
zookeeper.ssl.truststore.location=/var/ssl/private/kafka_broker.truststore.jks
zookeeper.ssl.truststore.password=<pass>

mmuehlbeyer · 23 December 2021 12:55

thx
is there more information regarding the cert in the server.log or just this line?

which Kafka version is in place?

the error should normally occur if
the parameter

ssl.client.auth=required

is set
did you check the effective conf for this param?

Best,
Michael

mmuehlbeyer · 23 December 2021 13:02

and one further question what about

security.inter.broker.protocol=SSL

can’t find it in your config

mmacphail · 3 January 2022 09:11

Hello,

Happy new year !

No more information in server.log.
Kafka version is 2.6.0.

The parameter ssl.client.auth is set to none.
The parameter security.inter.broker.protocol is set to PLAINTEXT.

mmacphail · 3 January 2022 09:25

I think see the problem.
The inter.broker.listener.name is set to BROKER, which is mapped to SSL in listener.security.protocol.map.
However, the security.inter.broker.protocol is set to PLAINTEXT.
It should be set to SSL. Let met correct this and check if my understanding of the problem is correct.

mmacphail · 4 January 2022 15:26

This didn’t solve the problem but it expanded my understanding, so that’s something. I’m still working on it.

schapirama · 26 January 2022 10:18

Did you manage to solve this problem? How?

Screpel · 21 October 2022 13:50

Hello,

With our team, we solved this issue with the renew of all certificates.

After that we used the Ansible Confluent Platform to generate keystores and truststores.

@mmacphail you can close this post

Topic		Replies	Views
Failed authentication due to: SSL handshake failed Ops	0	7734	20 December 2021
Cannot connect to kafka Clients	5	3440	10 June 2022
Replicationg Topics using Mirror Maker Cluster Replication	2	2674	25 January 2023
Kafka upgrade from 6.2.2 to 7.4.4 Cluster Replication	1	273	15 March 2024
SSL handshake error for standalone server Clients	0	2012	15 March 2023

Diagnose failed authentication

Related Topics