当前位置: 首页 > 知识库问答 >
问题:

Spring Boot App使用SSL连接到Kafka

许俊贤
2023-03-14

我有简单的Spring启动应用程序和具有工作SSL连接的Kafka(其他应用程序,不是Spring启动,已成功连接)。我无法访问Kafka经纪人的属性。我的应用是Kafka的客户端。这个应用程序在库伯内特斯内部的容器中运行。我的Spring启动可以访问密钥库.p12,ca-cert,Kafka佩姆,Kafka.key文件(它位于容器内的目录中)。

在配置中我使用

spring.kafka.security.protocol=SSL
spring.kafka.ssl.protocol=SSL
spring.kafka.ssl.key-store-type=PKCS12
spring.kafka.ssl.key-store-location=file:///path/to/keystore.p12
spring.kafka.ssl.key-store-password=password
spring.kafka.ssl.trust-store-type=PKCS12
spring.kafka.ssl.trust-store-location=file:///path/to/keystore.p12 (it's the same file, and I think it's incorrect)
spring.kafka.ssl.trust-store-password=password

spring.kafka.properties.ssl.endpoint.identification.algorithm=
spring.kafka.enable.ssl.certificate.verification=false

每次我收到错误

org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:349) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:292) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:287) ~[?:?]
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) ~[?:?]
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:?]
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:?]
    at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?]
    at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:430) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:514) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:368) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:291) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.Selector.poll(Selector.java:481) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:551) [kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1389) [kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1320) [kafka-clients-3.0.0.jar!/:?]
    at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[?:?]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[?:?]
    at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632) ~[?:?]
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:?]
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:?]
    at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?]
    at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:430) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:514) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:368) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:291) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.Selector.poll(Selector.java:481) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:551) [kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1389) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1320) ~[kafka-clients-3.0.0.jar!/:?]
    at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[?:?]
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[?:?]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[?:?]
    at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632) ~[?:?]
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:?]
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:?]
    at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?]
    at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:430) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:514) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:368) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:291) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.common.network.Selector.poll(Selector.java:481) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:551) [kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1389) ~[kafka-clients-3.0.0.jar!/:?]
    at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1320) ~[kafka-clients-3.0.0.jar!/:?]
    at java.lang.Thread.run(Thread.java:829) ~[?:?]

我尝试了不同的变化:仅密钥存储、仅信任存储、删除配置中的最后两个属性(endpoint . identificati on . algorithm和certificate.verification)。我应该尝试创建信任库并导入容器中的证书吗?我不知道正确的方法。我拥有的证书的正确配置和正确使用方式是什么?

共有1个答案

杨雪松
2023-03-14

问题在于错误的属性语法。正确的方法是

spring.kafka.properties.ssl.keystore.type=PKCS12
spring.kafka.properties.ssl.keystore.location=/path/to/keystore.p12
spring.kafka.properties.ssl.keystore.password=password
spring.kafka.properties.ssl.truststore.type=PKCS12
spring.kafka.properties.ssl.truststore.location=/path/to/keystore.p12 (it's the same file, it's correct!!)
spring.kafka.properties.ssl.truststore.password=password 

是的,在keystore和truststore中使用相同的p12文件是完全可以接受的。

 类似资料:
  • 问题内容: 我的意思是说非常简单。我想通过安全连接从PHP脚本连接到外部MS SQL数据库。然而,事实证明这是有问题的,到目前为止,花了三个小时进行研究,我很茫然。 客户端的平台是Ubuntu,这意味着我无法使用SQLSRV。安全连接已与其他客户端进行了测试,并且工作正常。我目前正在使用PDO和DBlib连接到数据库,这也可以正常工作。 我找不到能强制建立安全连接的任何方法。我尝试了多种其他驱动程

  • 我有一个Spring Boot应用程序(版本2.1.1),使用Postgresql 9.6作为数据库。我必须使用sslmode=verify ca通过SSL连接到db。到目前为止,我所做的是在申请表中设置。属性文件属性 有没有办法在其他一些Spring属性中指定ssl属性而不是在连接url中? 此外,还可以为证书指定相对路径,而不是使用绝对路径?

  • 我们所面临的问题已在许多文件中得到充分证明https://stackoverflow.com/questions/34189756/warning-about-ssl-connection-when-connecting-to-mysql-database. 从过渡到时,我们就开始面临这个问题。建议的修复方法对我们有效,但我们有一个问题,我们不想更新Java源文件以进行更改,例如从 到 正如在ht

  • 问题内容: 如何使用Node.js通过SSL连接到MongoDB服务器? 我已经阅读了一些驱动程序(mongojs,mongodb- native )的源代码,并且我已经搜索了一段时间,但是似乎找不到任何合适的教程,指南或文档。 问题答案: 如评论中所建议,具有所需的一切。 我使用以下命令启动并运行: 编辑 你也可以从猫鼬做ssl :

  • 请知道,我对数据库很陌生。我能够正确安装mySQL和java连接器驱动程序。但每当我在eclipse中运行程序并尝试从我创建的数据库中检索信息时,我都会收到以下消息:“需要SSL连接,但服务器不支持”。下面是我要使用安全SSL连接运行的代码: `公共静态void main(字符串[]参数){

  • 我有一个Spring boot应用程序,里面有一个非常简单的Kafka制作人。如果我在没有加密的情况下连接到Kafka集群,一切都会很好。但如果我尝试使用SSL连接到kafka群集,就会超时。在producer中是否需要其他配置,或者需要定义其他属性,以允许spring正确使用所有配置? 我有以下属性设置: 应用程序启动时,将以下结果打印为ProducerConfig: 我的制作人非常简单: 使用