[jira] [Commented] (KAFKA-12534) kafka-configs does not work with ssl enabled kafka broker.

Thu, 25 Apr 2024 14:26:17 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-12534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17840985#comment-17840985
 ] 

keith.paulson commented on KAFKA-12534:
---------------------------------------

I can reproduce this with kafka 3.6.0 and BCFKS keystores.  

 

Changing keystore and password gives 
{code:java}
 ERROR Encountered metadata publishing fault: Error updating node with new 
configuration: listener.name.SSL.ssl.key.password -> 
[hidden],listener.name.SSL.ssl.keystore.location -> 
/etc/ssl/private/kafkachain.bcfks in MetadataDelta up to 5940236 
(org.apache.kafka.server.fault.LoggingFaultHandler)
org.apache.kafka.common.config.ConfigException: Validation of dynamic config 
update of SSLFactory failed: org.apache.kafka.common.KafkaException: Failed to 
load SSL keystore /etc/ssl/private/kafkachain.bcfks of type BCFKS {code}
but on a kafka restart, that keystore/password combination works fine

 

If I change just the keystore (ie new keystore created using same password as 
previous one)
{code:java}
[2024-04-25 21:15:47,065] INFO [DynamicConfigPublisher broker id=1] Updating 
node 1 with new configuration : listener.name.SSL.ssl.keystore.location -> 
/etc/ssl/private/kafkachain.bcfks (kafka.server.metadata.DynamicConfigPublisher)
{code}
 

Not being able to change passwords is a significant limitation.

> kafka-configs does not work with ssl enabled kafka broker.
> ----------------------------------------------------------
>
>                 Key: KAFKA-12534
>                 URL: https://issues.apache.org/jira/browse/KAFKA-12534
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 2.6.1
>            Reporter: kaushik srinivas
>            Priority: Critical
>
> We are trying to change the trust store password on the fly using the 
> kafka-configs script for a ssl enabled kafka broker.
> Below is the command used:
> kafka-configs.sh --bootstrap-server localhost:9092 --entity-type brokers 
> --entity-name 1001 --alter --add-config 'ssl.truststore.password=xxx'
> But we see below error in the broker logs when the command is run.
> {"type":"log", "host":"kf-2-0", "level":"INFO", 
> "neid":"kafka-cfd5ccf2af7f47868e83473408", "system":"kafka", 
> "time":"2021-03-23T12:14:40.055", "timezone":"UTC", 
> "log":\{"message":"data-plane-kafka-network-thread-1002-ListenerName(SSL)-SSL-2
>  - org.apache.kafka.common.network.Selector - [SocketServer brokerId=1002] 
> Failed authentication with /127.0.0.1 (SSL handshake failed)"}}
>  How can anyone configure ssl certs for the kafka-configs script and succeed 
> with the ssl handshake in this case ? 
> Note : 
> We are trying with a single listener i.e SSL: 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to