0

I have Kafka docker running with SSL with the following

version: '2' services: zookeeper: image: confluentinc/cp-zookeeper:6.2.0 environment: ZOOKEEPER_CLIENT_PORT: 2181 ZOOKEEPER_TICK_TIME: 2000 ports: - 2181:2181 volumes: - ./data/zookeeper/data:/data - ./data/zookeeper/datalog:/datalog kafka: image: confluentinc/cp-kafka:6.2.0 depends_on: - zookeeper ports: - 9093:9093 - 9092:9092 environment: KAFKA_BROKER_ID: 1 KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181 KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://localhost:19092,SSL://localhost:9093 KAFKA_SSL_CLIENT_AUTH: 'required' KAFKA_SSL_KEYSTORE_FILENAME: 'certs/server.keystore.jks' KAFKA_SSL_KEYSTORE_CREDENTIALS: 'certs/kafka_keystore_credentials' KAFKA_SSL_KEY_CREDENTIALS: 'certs/kafka_sslkey_credentials' KAFKA_SSL_TRUSTSTORE_FILENAME: 'certs/server.truststore.jks' KAFKA_SSL_TRUSTSTORE_CREDENTIALS: 'certs/kafka_truststore_credentials' KAFKA_AUTO_CREATE_TOPICS_ENABLE: 'true' KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 volumes: - ./certs:/etc/kafka/secrets/certs - ./data/kafka1/data:/var/lib/kafka/data

And SpringBoot application.yml has

server: port: 8888 spring: kafka: consumer: security: protocol: "SSL" bootstrap-servers: localhost:9093 group-id: group-tenant2-id auto-offset-reset: earliest key-deserializer: org.apache.kafka.common.serialization.StringDeserializer value-deserializer: org.apache.kafka.common.serialization.StringDeserializer ssl: trust-store-location: classpath:client.truststore.jks trust-store-password: test123 producer: security: protocol: "SSL" bootstrap-servers: localhost:9093 key-serializer: org.apache.kafka.common.serialization.StringSerializer value-serializer: org.apache.kafka.common.serialization.StringSerializer ssl: trust-store-location: classpath:client.truststore.jks trust-store-password: test123

But then I am unable to connect from SpringBoot with the following error

org.apache.kafka.common.errors.SslAuthenticationException: Failed to process post-handshake messages Caused by: javax.net.ssl.SSLException: Tag mismatch! at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133) ~[na:na] at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:370) ~[na:na] at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:313) ~[na:na] at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) ~[na:na] at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:123) ~[na:na] at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:736) ~[na:na] at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:691) ~[na:na] at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506) ~[na:na] at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482) ~[na:na] at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679) ~[na:na] at org.apache.kafka.common.network.SslTransportLayer.read(SslTransportLayer.java:569) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.common.network.NetworkReceive.readFrom(NetworkReceive.java:95) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.common.network.KafkaChannel.receive(KafkaChannel.java:452) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.common.network.KafkaChannel.read(KafkaChannel.java:402) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.common.network.Selector.attemptRead(Selector.java:674) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:576) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.common.network.Selector.poll(Selector.java:481) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:560) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:265) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:236) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:215) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:246) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.coordinatorUnknownAndUnready(ConsumerCoordinator.java:459) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:487) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.clients.consumer.KafkaConsumer.updateAssignmentMetadataIfNeeded(KafkaConsumer.java:1262) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1231) ~[kafka-clients-3.1.1.jar:na] at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1211) ~[kafka-clients-3.1.1.jar:na] at org.springframework.kafka.listener.KafkaMessageListenerContainer$ListenerConsumer.pollConsumer(KafkaMessageListenerContainer.java:1529) ~[spring-kafka-2.8.8.jar:2.8.8] at org.springframework.kafka.listener.KafkaMessageListenerContainer$ListenerConsumer.doPoll(KafkaMessageListenerContainer.java:1519) ~[spring-kafka-2.8.8.jar:2.8.8] at org.springframework.kafka.listener.KafkaMessageListenerContainer$ListenerConsumer.pollAndInvoke(KafkaMessageListenerContainer.java:1343) ~[spring-kafka-2.8.8.jar:2.8.8] at org.springframework.kafka.listener.KafkaMessageListenerContainer$ListenerConsumer.run(KafkaMessageListenerContainer.java:1255) ~[spring-kafka-2.8.8.jar:2.8.8] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) ~[na:na] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[na:na] at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]

Connect to the Kafka using SSL from Offset Explorer was fine enter image description here

Improve this question
4
  • Where is the spring boot application running? in your host or in the same docker network? Commented Jul 22, 2022 at 6:12
  • It is from my local computer. Docker is also local Commented Jul 22, 2022 at 10:05
  • I'm not familiar with configuring Kafka with SSL, but one thing you should at least do is change the mapped port in the docker-compose from 9092 to 9093 which is where the SSL connection is listening. Then if your app is running in your host and connecting to localhost:9093 it will at least hit the Kafka broker Commented Jul 22, 2022 at 10:28
  • Yes, you are correct. After exposing port 9093, I am hitting another error. Caused by: javax.net.ssl.SSLException: Tag mismatch! Commented Jul 22, 2022 at 10:53

1 Answer 1

Reset to default
0

For some reason, I need to add key-store details in the client SpringBoot application

server: port: 8888 spring: kafka: consumer: security: protocol: "SSL" bootstrap-servers: localhost:9093 group-id: group-tenant2-id auto-offset-reset: earliest key-deserializer: org.apache.kafka.common.serialization.StringDeserializer value-deserializer: org.apache.kafka.common.serialization.StringDeserializer ssl: trust-store-location: classpath:client.truststore.jks trust-store-password: test123 key-password: key123 key-store-location: classpath:client.keystore.jks key-store-password: test123 producer: security: protocol: "SSL" bootstrap-servers: localhost:9093 key-serializer: org.apache.kafka.common.serialization.StringSerializer value-serializer: org.apache.kafka.common.serialization.StringSerializer ssl: trust-store-location: classpath:client.truststore.jks trust-store-password: test123 key-password: key123 key-store-location: classpath:client.keystore.jks key-store-password: test123
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.