0

我正在尝试设置使用我的 GoDaddy 证书作为 Kafka 的侦听器。使用这篇文章https://strimzi.io/docs/operators/in-development/using.html#kafka-listener-certificates-str

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: es-kafka-cluster
spec:
  kafka:
    version: 2.7.0
    replicas: 2
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true
      - name: external
        port: 9094
        type: loadbalancer
        tls: true
        authentication:
          type: tls
        configuration:  
          brokerCertChainAndKey:
            secretName: es-tls-certificate
            certificate: certificate.crt
            key: certificate.key
    authorization:
      type: simple
    config:
      offsets.topic.replication.factor: 1
      transaction.state.log.replication.factor: 1
      transaction.state.log.min.isr: 1
      log.message.format.version: "2.7"
    storage:
      type: ephemeral
  zookeeper:
    replicas: 2
    storage:
      type: ephemeral
  entityOperator:
    userOperator: {}
    topicOperator: {}

我正在发送证书检查 openssl s_client -connect MY_IP:9094 -servername MY_IP

返回我的正确证书。但是当我尝试执行命令时出现错误

 kafkacat -C -b MY_IP:9094 -X security.protocol=ssl -t schedules
% ERROR: Failed to query metadata for topic schedules: Local: Timed out

来自 Kafka 的日志

(SSL handshake failed) (org.apache.kafka.common.network.Selector) [data-plane-kafka-network-thread-0-ListenerName(EXTERNAL-9094)-SSL-12
4

1 回答 1

1 
    authentication:
      type: tls

身份验证 TLS 似乎表明您的客户端需要使用 mtls 进行身份验证,请尝试以下命令并发布和更新

kafkacat -b MY_IP:9094
-X security.protocol=SSL -X ssl.key.location=private_key.pem -X ssl.key.password=my_key_password
-X ssl.certificate.location=signed_cert.pem.txt
-X ssl。 ca.location=ca_cert.pem -L

或者去掉认证子句

并添加到 kafkacat

-X ssl.ca.location=ca_cert.pem

于 2021-06-03T17:42:59.843 回答