I am not exactly sure where we are now... Did you managed to setup what you wanted to? Am I right that you need Quorum SSL and client SSL, while you want to disable the unsecure Client connection?
I think this case the following config should work, using ZooKeeper 3.6.1: ------- zoo.cfg starts here ----- # generic dataDir=/data dataLogDir=/datalog tickTime=2000 initLimit=10 syncLimit=5 maxClientCnxns=0 leaderServes=yes autopurge.snapRetainCount=10 autopurge.purgeInterval=24 standaloneEnabled=false admin.enableServer=false reconfigEnabled=true audit.enable=true quorumListenOnAllIPs=true 4lw.commands.whitelist=* dynamicConfigFile=/conf/zoo.cfg.dynamic # only after upgrade, until you have at least one snapshot on each ZK server snapshot.trust.empty=true # quorum SSL sslQuorum=true serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory ssl.quorum.keyStore.location=<keystore file used for Quorum SSL> ssl.quorum.keyStore.password=<keystore password used for Quorum SSL> ssl.quorum.trustStore.location=<truststore password used for Quorum SSL> ssl.quorum.trustStore.password=<truststore file used for Quorum SSL> # client SSL secureClientPort=2181 clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty ssl.keyStore.location=<server-side keystore file used for Client SSL> ssl.keyStore.password=<server-side keystore password used for Client SSL> ssl.trustStore.location=<server-side trueststore file used for Client SSL> ssl.trustStore.password=<server-side trueststore password used for Client SSL> ------- end of zoo.cfg ----- and: ------- zoo.cfg.dynamic starts here ----- server.1=zoo1:2888:3888:participant server.2=zoo2:2888:3888:participant server.3=zoo3:2888:3888:participant ------- end of zoo.cfg.dynamic ----- If the above config doesn't work and the cluster can not come up, then I would assume the problem is related to your keystore / truststore files. Or something else. Maybe debug logs would help to figure out what is the problem. 1) please try again with some extra debug logging by setting the following environment variables before starting zkServer.sh: export ZOO_LOG4J_PROP="DEBUG,CONSOLE,ROLLINGFILE" export SERVER_JVMFLAGS="$SERVER_JVMFLAGS -Dzookeeper.log.threshold=DEBUG -Dzookeeper.console.threshold=DEBUG" (optionally if you want to specify where ZooKeeper should print its logs: export ZOO_LOG_DIR="/var/logs/zookeeper" ) 2) please create a Jira ticket ( https://issues.apache.org/jira/projects/ZOOKEEPER/) where you attach: - zoo.cfg - zoo.cfg.dynamic - the debug logs for all your ZooKeeper servers 3) please ping me (@symat) on the ticket and I will check the debug logs. Kind regards, Mate On Fri, May 15, 2020 at 2:44 AM blb.dev <bla.ibm....@gmail.com> wrote: > Ashish, thank you for detailing why you chose that parameter! You're right > we > wouldn't need that in our config. > > Anyone else have any ideas why my zookeeper quorum is not starting up with > this configuration? I am unfortunately still blocked as it will not start > up. > > I need to configure encrypted quorum and client communication (and also > accept non ssl client communications while clients update) - guidance on > how > to change my config params to help with the startup? > > > > -- > Sent from: http://zookeeper-user.578899.n2.nabble.com/ >
