java - 使用 PEM 配置 Kafka 客户端单向 SSL

Question

我正在尝试使用 PEM 为我的 kafka 客户端配置单向 SSL。目前我正在尝试使用 kafka-topics.sh --list 但将来它将是一个无法使用 JKS 的 Java 客户端。错误消息告诉我指定类型，但我引用的文档没有告诉我如何指定: https://kafka.apache.org/documentation/#producerconfigs_ssl.truststore.certificates

ssl.truststore.certificates

Trusted certificates in the format specified by 'ssl.truststore.type'. Default SSL engine factory supports only PEM format with X.509 certificates.

Type: password Default: null Valid Values: Importance: high

以下是来自 kafka-topics.sh 的错误消息

~/kafka/bin/kafka-topics.sh \
  --command-config /home/kafka/kafka/client_security_one_way_ssl_using_pem.properties \
  --bootstrap-server MY_IP:9093 \
  --list
Exception in thread "main" org.apache.kafka.common.KafkaException: Failed to create new KafkaAdminClient
        at org.apache.kafka.clients.admin.KafkaAdminClient.createInternal(KafkaAdminClient.java:535)
        at org.apache.kafka.clients.admin.Admin.create(Admin.java:65)
        at kafka.admin.TopicCommand$AdminClientTopicService$.createAdminClient(TopicCommand.scala:228)
        at kafka.admin.TopicCommand$AdminClientTopicService$.apply(TopicCommand.scala:232)
        at kafka.admin.TopicCommand$.main(TopicCommand.scala:59)
        at kafka.admin.TopicCommand.main(TopicCommand.scala)
Caused by: org.apache.kafka.common.errors.InvalidConfigurationException: SSL trust store certs can be specified only for PEM, but trust store type is JKS.

client_security_one_way_ssl_using_pem.properties 的内容:

ssl.endpoint.identification.algorithm=
security.protocol=SSL

ssl.truststore.certificates=-----BEGIN CERTIFICATE----- \
< SECRET :) > \
-----END CERTIFICATE-----

我也尝试添加

ssl.truststore.type=PEM

但现在我的错误消息是:

[2021-03-10 16:18:21,343] WARN The configuration 'ssl.truststore.certificates' was supplied but isn't a known config. (org.apache.kafka.clients.admin.AdminClientConfig)
[2021-03-10 16:18:21,344] WARN The configuration 'ssl.truststore.type' was supplied but isn't a known config. (org.apache.kafka.clients.admin.AdminClientConfig)
[2021-03-10 16:18:21,344] WARN The configuration 'ssl.endpoint.identification.algorithm' was supplied but isn't a known config. (org.apache.kafka.clients.admin.AdminClientConfig)

2.7.0 应该支持这些属性:

~/kafka/bin/kafka-topics.sh   --version
2.7.0 (Commit:448719dc99a19793)

Answer 1

根本原因是我需要拥有

ssl.truststore.type=PEM

在我的属性文件中。

WARN 日志消息不是问题。 Apache Kafka 正在此处跟踪该错误:https://issues.apache.org/jira/browse/KAFKA-10090并从 2.8.0 开始修复。

[2021-03-10 16:18:21,343] WARN The configuration 'ssl.truststore.certificates' was supplied but isn't a known config. (org.apache.kafka.clients.admin.AdminClientConfig)
[2021-03-10 16:18:21,344] WARN The configuration 'ssl.truststore.type' was supplied but isn't a known config. (org.apache.kafka.clients.admin.AdminClientConfig)
[2021-03-10 16:18:21,344] WARN The configuration 'ssl.endpoint.identification.algorithm' was supplied but isn't a known config. (org.apache.kafka.clients.admin.AdminClientConfig)

实际上是在获取主题，但我没有主题。