Replicationg Topics using Mirror Maker

Hi,

Im trying to replicate kafka topics to another cluster using mirror maker. I encountered the error:

[2023-01-05 17:52:25,333] INFO [AdminClient clientId=adminclient-1] Failed authentication with drkafkanode1.localdomain/192.168.1.83 (SSL handshake failed) (org.apache.kafka.common.network.Selector:620)
[2023-01-05 17:52:25,372] ERROR [AdminClient clientId=adminclient-1] Connection to node -1 (drkafkanode1.localdomain/192.168.1.83:9092) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient:749)
[2023-01-05 17:52:25,383] WARN [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error (org.apache.kafka.clients.admin.internals.AdminMetadataManager:232)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)


my connect-mirror-maker.properties configuration

clusters = PROD, DR

PROD.bootstrap.servers = kafkanode1.localdomain:9092
DR.bootstrap.servers = drkafkanode1.localdomain:9092
PROD->DR.enabled = true
PROD->DR.topics = .*

DR.security.protocol=SSL
DR.ssl.truststore.location=/home/rhel/confluent-6.0.5/ssl/kafka-connect.jks
DR.ssl.truststore.password=admin123
DR.ssl.keystore.location=/home/rhel/confluent-6.0.5/ssl/kafka-connect.p12
DR.ssl.keystore.password=admin123
DR.ssl.key.password=admin123

Paging @mickael.maison.

When a Kafka client connects to a broker via SSL, by default it verifies if it trusts the server certificate. You can see at the bottom of the stack trace the call to checkServerCerts. In order for a client to trust a broker, the client must have the broker certificate in its truststore. In this case, it looks like the client does not find the broker certificate in its truststore, so it does not trust the broker and stops the connection.

You should check you’ve correctly imported the server certificate in your truststore. If the problem persists, to help debug SSL issues you can also run your application with the -Djavax.net.debug=all system property to see the certificate the client receives and what it trusts.

1 Like