Hi
i have an issue on start this command for list topics.
zookeeper and kafka seems ok
/opt/kafka/bin/kafka-topics.sh --list --bootstrap-server 172.17.0.2:9093 --command-config /opt/kafka/config/client.properties
[2021-12-20 16:40:28,231] ERROR [AdminClient clientId=adminclient-1] Connection to node -1 (172.17.0.2/172.17.0.2:9093) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2021-12-20 16:40:28,233] WARN [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error (org.apache.kafka.clients.admin.internals.AdminMetadataManager)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names present
my client.properties
security.protocol=SASL_SSL
ssl.truststore.location=/opt/kafka/certs/kafka.client.truststore.jks
ssl.truststore.password=password
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="password";
On server side :
server.properties
...
## SSL
// Enable SSL security protocol for inter-broker communication
listeners=SSL://:9093,SASL_SSL://:9094
security.inter.broker.protocol=SSL
ssl.client.authentication=required
sasl.mechanism.inter.broker.protocol=PLAIN
ssl.endpoint.identification.algorithm=
advertised.listeners=SSL://:9093,SASL_SSL://server:9094
listener.security.protocol.map=SSL:SSL,SASL_SSL:SASL_SSL
// Broker security settings
ssl.truststore.location=/opt/kafka/certs/kafka.server.truststore.jks
ssl.truststore.password={{sslpassword}}
ssl.keystore.location=/opt/kafka/certs/kafka.server.keystore.jks
ssl.keystore.password={{sslpassword}}
ssl.key.password={{sslpassword}}
sasl.enabled.mechanisms=PLAIN
...
zookeeper_jaas.conf
Client {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="admin"
password="password";
};
Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_admin="password";
};
kafka_jaas.conf
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="password"
user_admin="password";
};
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="password";
};
Client {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="admin"
password="password";
};
zookeeper.properties
admin.enableServer=false
clientPort=2181
dataDir=/tmp/zookeeper
maxClientCnxns=0
# custom for AD bellow this line
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
at the end of kafka server start
export KAFKA_OPTS="-Djava.security.auth.login.config=/opt/kafka/config/kafka_jaas.conf"
at the end of zookeeper server start
export KAFKA_OPTS="-Djava.security.auth.login.config=$base_dir/../config/zookeeper_jaas.conf"
Certificats
keytool -keystore kafka.server.keystore.jks -alias localhost -keyalg RSA -validity 365 -genkey -storepass $pass -keypass $pass -dname "CN=172.17.0.2" -ext SAN=IP:172.17.0.2
so only my keystore have the alt name
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: caroot
Creation date: Dec 20, 2021
Entry type: trustedCertEntry
Owner: CN=server, O=AD, L=Chill, ST=IDF, C=FR
Issuer: CN=server, O=AD, L=Chilly, ST=IDF, C=FR
...
Alias name: localhost
Creation date: Dec 20, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=172.17.0.2
Issuer: CN=server, O=AD, L=Chill, ST=IDF, C=FR
...
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
Certificate[2]:
Owner: CN=server, O=AD, L=Chil, ST=IDF, C=FR
Issuer: CN=server, O=AD, L=Chill, ST=IDF, C=FR
...
`` `