Replicationg Topics using Mirror Maker

hasmine.roldan · 5 January 2023 10:01

Hi,

Im trying to replicate kafka topics to another cluster using mirror maker. I encountered the error:

[2023-01-05 17:52:25,333] INFO [AdminClient clientId=adminclient-1] Failed authentication with drkafkanode1.localdomain/192.168.1.83 (SSL handshake failed) (org.apache.kafka.common.network.Selector:620)
[2023-01-05 17:52:25,372] ERROR [AdminClient clientId=adminclient-1] Connection to node -1 (drkafkanode1.localdomain/192.168.1.83:9092) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient:749)
[2023-01-05 17:52:25,383] WARN [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error (org.apache.kafka.clients.admin.internals.AdminMetadataManager:232)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)

my connect-mirror-maker.properties configuration

clusters = PROD, DR

PROD.bootstrap.servers = kafkanode1.localdomain:9092
DR.bootstrap.servers = drkafkanode1.localdomain:9092
PROD->DR.enabled = true
PROD->DR.topics = .*

DR.security.protocol=SSL
DR.ssl.truststore.location=/home/rhel/confluent-6.0.5/ssl/kafka-connect.jks
DR.ssl.truststore.password=admin123
DR.ssl.keystore.location=/home/rhel/confluent-6.0.5/ssl/kafka-connect.p12
DR.ssl.keystore.password=admin123
DR.ssl.key.password=admin123

danicafine · 24 January 2023 21:40

Paging @mickael.maison.

mickael.maison · 25 January 2023 11:30

When a Kafka client connects to a broker via SSL, by default it verifies if it trusts the server certificate. You can see at the bottom of the stack trace the call to checkServerCerts. In order for a client to trust a broker, the client must have the broker certificate in its truststore. In this case, it looks like the client does not find the broker certificate in its truststore, so it does not trust the broker and stops the connection.

You should check you’ve correctly imported the server certificate in your truststore. If the problem persists, to help debug SSL issues you can also run your application with the -Djavax.net.debug=all system property to see the certificate the client receives and what it trusts.

Topic		Replies	Views
Failed authentication due to: SSL handshake failed Ops	0	9994	20 December 2021
Kafka mirror maker2 doesn't work, Self-Managed Connectors	0	4059	18 August 2022
Diagnose failed authentication Ops	9	8839	21 October 2022
Kafka upgrade from 6.2.2 to 7.4.4 Cluster Replication	1	750	15 March 2024
SSL Certificate for Kafka running in Confluent Cloud Confluent Cloud	1	1897	14 December 2023

Replicationg Topics using Mirror Maker

Related topics