apache-kafka - Kafka Controller 无法连接到代理

Question

我有一个 3 节点的 Kafka 集群(版本 0.10.1.0)。我已按照 kafka security documentation 上的步骤操作.这是我的一台 Kafka 服务器的相关配置。

listeners=SSL://myhostname:9093
security.inter.broker.protocol=SSL
advertised.listeners=SSL://myhostname:9093
# In order to enable hostname verification
ssl.endpoint.identification.algorithm=HTTPS

ssl.client.auth=required

# certificate file locations
ssl.keystore.location=/location/server1.keystore.jks
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.truststore.location=/location/server.truststore.jks
ssl.truststore.password=changeit

# Supported TLS versions
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1

我为所有 Kafka 服务器定义了 3 个不同的 keystore ，并使用相同的 CA 对它们进行签名。当我启动 Kafka 服务器时， Controller 日志不断记录以下警告日志。

WARN [Controller-0-to-broker-2-send-thread], Controller 0's connection to broker host3:9093 (id: 2 rack: null) was unsuccessful (kafka.controller.RequestSendThread)
java.io.IOException: Connection to host3:9093 (id: 2 rack: null) failed
    at kafka.utils.NetworkClientBlockingOps$.awaitReady$1(NetworkClientBlockingOps.scala:83)
    at kafka.utils.NetworkClientBlockingOps$.blockingReady$extension(NetworkClientBlockingOps.scala:93)
    at kafka.controller.RequestSendThread.brokerReady(ControllerChannelManager.scala:230)
    at kafka.controller.RequestSendThread.liftedTree1$1(ControllerChannelManager.scala:182)
    at kafka.controller.RequestSendThread.doWork(ControllerChannelManager.scala:181)
    at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:63)
WARN [Controller-0-to-broker-0-send-thread], Controller 0's connection to broker host1:9093 (id: 0 rack: null) was unsuccessful (kafka.controller.RequestSendThread)
java.io.IOException: Connection to host1:9093 (id: 0 rack: null) failed
    at kafka.utils.NetworkClientBlockingOps$.awaitReady$1(NetworkClientBlockingOps.scala:83)
    at kafka.utils.NetworkClientBlockingOps$.blockingReady$extension(NetworkClientBlockingOps.scala:93)
    at kafka.controller.RequestSendThread.brokerReady(ControllerChannelManager.scala:230)
    at kafka.controller.RequestSendThread.liftedTree1$1(ControllerChannelManager.scala:182)
    at kafka.controller.RequestSendThread.doWork(ControllerChannelManager.scala:181)
    at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:63)
WARN [Controller-0-to-broker-1-send-thread], Controller 0's connection to broker host2:9093 (id: 1 rack: null) was unsuccessful (kafka.controller.RequestSendThread)
java.io.IOException: Connection to host2:9093 (id: 1 rack: null) failed
    at kafka.utils.NetworkClientBlockingOps$.awaitReady$1(NetworkClientBlockingOps.scala:83)
    at kafka.utils.NetworkClientBlockingOps$.blockingReady$extension(NetworkClientBlockingOps.scala:93)
    at kafka.controller.RequestSendThread.brokerReady(ControllerChannelManager.scala:230)
    at kafka.controller.RequestSendThread.liftedTree1$1(ControllerChannelManager.scala:182)
    at kafka.controller.RequestSendThread.doWork(ControllerChannelManager.scala:181)
    at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:63)

在我看来，这比警告更严重。
你知道可能是什么问题吗？
提前致谢。

Answer 1

我发现了问题，它与证书创建有关。引用 Confluent's documentation它说:

Ensure that common name (CN) matches exactly with the fully qualified domain name (FQDN) of the server. The client compares the CN with the DNS domain name to ensure that it is indeed connecting to the desired server, not a malicious one.

我重新生成证书并且它起作用了!