[
https://issues.apache.org/jira/browse/KAFKA-12534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17320966#comment-17320966
]
kaushik srinivas edited comment on KAFKA-12534 at 4/14/21, 12:42 PM:
---------------------------------------------------------------------
Hi [~cricket007] ,
We tried to change the keystore password and key pass for one of the kafka
broker.
below is the command used,
./kafka-configs --bootstrap-server xxxxxx:9092 --command-config ssl.xt
--entity-type brokers --entity-name 1007 --alter --add-config
'listener.name.ssl.ssl.keystore.password=1234567,listener.name.ssl.ssl.key.password=1234567'
contents of command config file ssl.xt
[root@vm-10-75-112-163 bin]# cat ssl.xt
ssl.key.password=123456
ssl.keystore.location=/securityFiles/ssl/kafka.client.keystore.jks
ssl.keystore.password=123456
ssl.truststore.location=/securityFiles/ssl/kafka.client.truststore.jks
ssl.truststore.password=123456
security.protocol=SSL
note: We have keystores created one for kafka broker and one for admin client.
the password for admin client keystore file is 123456. And this is what is
configured in the command config file.
But we see below output when we run this command
{code:java}
hreads appropriately using -XX:ParallelGCThreads=N
[2021-04-14 12:24:39,705] WARN The configuration 'ssl.truststore.location' was
supplied but isn't a known config.
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,708] WARN The configuration 'ssl.keystore.password' was
supplied but isn't a known config.
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,710] WARN The configuration 'ssl.key.password' was
supplied but isn't a known config.
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,710] WARN The configuration 'ssl.keystore.location' was
supplied but isn't a known config.
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,710] WARN The configuration 'ssl.truststore.password' was
supplied but isn't a known config.
(org.apache.kafka.clients.admin.AdminClientConfig)
Error while executing config command with args '--bootstrap-server xxxxx:9092
--command-config ssl.xt --entity-type brokers --entity-name 1007 --alter
--add-config
listener.name.ssl.ssl.keystore.password=1234567,listener.name.ssl.ssl.key.password=1234567'
java.util.concurrent.ExecutionException:
org.apache.kafka.common.errors.InvalidRequestException: Invalid config value
for resource ConfigResource(type=BROKER, name='1007'): Invalid value
org.apache.kafka.common.config.ConfigException: Validation of dynamic config
update of SSLFactory failed: org.apache.kafka.common.KafkaException: Failed to
load SSL keystore /etc/kafka/secrets//ssl/keyStore of type JKS for
configuration Invalid dynamic configuration
at
org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
at
org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
at
org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:104)
at
org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:272)
at kafka.admin.ConfigCommand$.alterBrokerConfig(ConfigCommand.scala:338)
at
kafka.admin.ConfigCommand$.processBrokerConfig(ConfigCommand.scala:308)
at kafka.admin.ConfigCommand$.main(ConfigCommand.scala:85)
at kafka.admin.ConfigCommand.main(ConfigCommand.scala)
Caused by: org.apache.kafka.common.errors.InvalidRequestException: Invalid
config value for resource ConfigResource(type=BROKER, name='1007'): Invalid
value org.apache.kafka.common.config.ConfigException: Validation of dynamic
config update of SSLFactory failed: org.apache.kafka.common.KafkaException:
Failed to load SSL keystore /etc/kafka/secrets//ssl/keyStore of type JKS for
configuration Invalid dynamic configuration
{code}
It says WARN The configuration 'ssl.truststore.location' was supplied but isn't
a known config. (org.apache.kafka.clients.admin.AdminClientConfig)
Also the new keystore is encrypted with the new password and still we observe
that the validation has failed.
Note : the server.properties file is not updated with the latest password. It
is still referring to the old keystore and key passwords.
Can you help us in this.
-kaushik
was (Author: kaushik srinivas):
Hi [~cricket007] ,
We tried to change the keystore password and key pass for one of the kafka
broker.
below is the command used,
./kafka-configs --bootstrap-server xxxxxx:9092 --command-config ssl.xt
--entity-type brokers --entity-name 1007 --alter --add-config
'listener.name.ssl.ssl.keystore.password=1234567,listener.name.ssl.ssl.key.password=1234567'
contents of command config file ssl.xt
[root@vm-10-75-112-163 bin]# cat ssl.xt
ssl.key.password=123456
ssl.keystore.location=/securityFiles/ssl/kafka.client.keystore.jks
ssl.keystore.password=123456
ssl.truststore.location=/securityFiles/ssl/kafka.client.truststore.jks
ssl.truststore.password=123456
security.protocol=SSL
note: We have keystores created one for kafka broker and one for admin client.
the password for admin client keystore file is 123456. And this is what is
configured in the command config file.
But we see below output when we run this command
{code:java}
hreads appropriately using -XX:ParallelGCThreads=N
[2021-04-14 12:24:39,705] WARN The configuration 'ssl.truststore.location' was
supplied but isn't a known config.
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,708] WARN The configuration 'ssl.keystore.password' was
supplied but isn't a known config.
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,710] WARN The configuration 'ssl.key.password' was
supplied but isn't a known config.
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,710] WARN The configuration 'ssl.keystore.location' was
supplied but isn't a known config.
(org.apache.kafka.clients.admin.AdminClientConfig)
[2021-04-14 12:24:39,710] WARN The configuration 'ssl.truststore.password' was
supplied but isn't a known config.
(org.apache.kafka.clients.admin.AdminClientConfig)
Error while executing config command with args '--bootstrap-server xxxxx:9092
--command-config ssl.xt --entity-type brokers --entity-name 1007 --alter
--add-config
listener.name.ssl.ssl.keystore.password=1234567,listener.name.ssl.ssl.key.password=1234567'
java.util.concurrent.ExecutionException:
org.apache.kafka.common.errors.InvalidRequestException: Invalid config value
for resource ConfigResource(type=BROKER, name='1007'): Invalid value
org.apache.kafka.common.config.ConfigException: Validation of dynamic config
update of SSLFactory failed: org.apache.kafka.common.KafkaException: Failed to
load SSL keystore /etc/kafka/secrets//ssl/keyStore of type JKS for
configuration Invalid dynamic configuration
at
org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
at
org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
at
org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:104)
at
org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:272)
at kafka.admin.ConfigCommand$.alterBrokerConfig(ConfigCommand.scala:338)
at
kafka.admin.ConfigCommand$.processBrokerConfig(ConfigCommand.scala:308)
at kafka.admin.ConfigCommand$.main(ConfigCommand.scala:85)
at kafka.admin.ConfigCommand.main(ConfigCommand.scala)
Caused by: org.apache.kafka.common.errors.InvalidRequestException: Invalid
config value for resource ConfigResource(type=BROKER, name='1007'): Invalid
value org.apache.kafka.common.config.ConfigException: Validation of dynamic
config update of SSLFactory failed: org.apache.kafka.common.KafkaException:
Failed to load SSL keystore /etc/kafka/secrets//ssl/keyStore of type JKS for
configuration Invalid dynamic configuration
{code}
It says WARN The configuration 'ssl.truststore.location' was supplied but isn't
a known config. (org.apache.kafka.clients.admin.AdminClientConfig)
Also the new keystore is encrypted with the new password and still we observe
that the validation has failed.
Can you help us in this.
-kaushik
> kafka-configs does not work with ssl enabled kafka broker.
> ----------------------------------------------------------
>
> Key: KAFKA-12534
> URL: https://issues.apache.org/jira/browse/KAFKA-12534
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 2.6.1
> Reporter: kaushik srinivas
> Priority: Critical
>
> We are trying to change the trust store password on the fly using the
> kafka-configs script for a ssl enabled kafka broker.
> Below is the command used:
> kafka-configs.sh --bootstrap-server localhost:9092 --entity-type brokers
> --entity-name 1001 --alter --add-config 'ssl.truststore.password=xxx'
> But we see below error in the broker logs when the command is run.
> {"type":"log", "host":"kf-2-0", "level":"INFO",
> "neid":"kafka-cfd5ccf2af7f47868e83473408", "system":"kafka",
> "time":"2021-03-23T12:14:40.055", "timezone":"UTC",
> "log":\{"message":"data-plane-kafka-network-thread-1002-ListenerName(SSL)-SSL-2
> - org.apache.kafka.common.network.Selector - [SocketServer brokerId=1002]
> Failed authentication with /127.0.0.1 (SSL handshake failed)"}}
> How can anyone configure ssl certs for the kafka-configs script and succeed
> with the ssl handshake in this case ?
> Note :
> We are trying with a single listener i.e SSL:
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
