Spring Kafka握手故障无X.509客户端验证证书,但我的密钥库中有一个
我有一个我不知道的情况。 我在K8S中的Springboot应用程序中运行,并尝试使用公司内的Spring Kafka从Kafka主题中进行消费者,我必须使用SSL身份验证。
我已经安装了我的信任& POD中的钥匙店,当我使用Keytool时,我可以在其中看到完整的证书链:
Alias name: 4f6b4855-0f06-4202-8531-cf0c8fbc6611
Creation date: Jun 28, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: C=xx, O=xxxx, CN=xxxxxx
Issuer: C=xx, L=xxx, O=xxxxxxxx, OU=xxxxxx, CN=xxxxxxx
Serial number: 7fbee1f1fb4c0721
Valid from: Thu Jun 23 08:34:51 GMT 2022 until: Fri Jun 23 08:34:51 GMT 2023
Certificate fingerprints:
SHA1: 6A:27:FF:57:2B:5B:16:97:CA:7C:3B:CE:9D:E3:43:AF:B9:66:EC:AB
SHA256: AD:96:34:4E:BD:BE:83:B8:5D:09:84:63:55:F0:E6:8A:15:CF:7A:35:6C:36:77:BF:FE:8B:68:A0:BE:61:7E:6B
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
......
我的属性(是的PKCS12密钥库,但是JKS扩展)
spring.kafka.ssl.trust-store-location=file:/mnt/ssl/truststore.jks
spring.kafka.ssl.trust-store-password=changeit
spring.kafka.ssl.trust-store-type=PKCS12
spring.kafka.ssl.key-store-location=file:/mnt/ssl/keystore.jks
spring.kafka.ssl.key-store-password=changeit
spring.kafka.ssl.key-store-type=PKCS12
当我的消费者开始时,我会得到握手的例外,从外观上看因为它无法提供客户证书。这是证书请求(上面的证书与请求中提到的CA签名)
javax.net.ssl|DEBUG|23|org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1|2022-06-28 16:34:01.595 CEST|CertificateRequest.java:692|Consuming CertificateRequest handshake message (
"CertificateRequest": {
"certificate types": [ecdsa_sign, rsa_sign, dss_sign]
"supported signature algorithms": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
"certificate authorities": [C=xxxx, L=xxxxxx, O=xxxxxxx, OU=Axxxxx, CN=xxxxxx]
}
输出
javax.net.ssl|ALL|23|org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1|2022-06-29 12:14:54.831 CEST|X509Authentication.java:246|No X.509 cert selected for RSA
javax.net.ssl|WARNING|23|org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1|2022-06-29 12:14:54.831 CEST|CertificateRequest.java:809|Unavailable authentication scheme: rsa_pkcs1_sha256
.............
javax.net.ssl|DEBUG|23|org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1|2022-06-28 16:34:01.618 CEST|CertificateMessage.java:299|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|23|org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1|2022-06-28 16:34:01.619 CEST|CertificateMessage.java:330|Produced client Certificate handshake message (
"Certificates": <empty list>
)
,但这是我必须在证书中丢失的 ,但我不得不弄清楚什么。如果有人有任何线索,我很想听听
I have a situation that I can't figure out.
Im running in a Springboot app in K8s and trying to consumer from a kafka topic using Spring Kafka within my company and I have to use SSL authentication.
I have mounted my trust & keystores in the pod and when I use keytool I can see the full chain of certificates in there:
Alias name: 4f6b4855-0f06-4202-8531-cf0c8fbc6611
Creation date: Jun 28, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: C=xx, O=xxxx, CN=xxxxxx
Issuer: C=xx, L=xxx, O=xxxxxxxx, OU=xxxxxx, CN=xxxxxxx
Serial number: 7fbee1f1fb4c0721
Valid from: Thu Jun 23 08:34:51 GMT 2022 until: Fri Jun 23 08:34:51 GMT 2023
Certificate fingerprints:
SHA1: 6A:27:FF:57:2B:5B:16:97:CA:7C:3B:CE:9D:E3:43:AF:B9:66:EC:AB
SHA256: AD:96:34:4E:BD:BE:83:B8:5D:09:84:63:55:F0:E6:8A:15:CF:7A:35:6C:36:77:BF:FE:8B:68:A0:BE:61:7E:6B
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
......
My properties (yes its a PKCS12 keystore, but a jks extention)
spring.kafka.ssl.trust-store-location=file:/mnt/ssl/truststore.jks
spring.kafka.ssl.trust-store-password=changeit
spring.kafka.ssl.trust-store-type=PKCS12
spring.kafka.ssl.key-store-location=file:/mnt/ssl/keystore.jks
spring.kafka.ssl.key-store-password=changeit
spring.kafka.ssl.key-store-type=PKCS12
When my consumer starts however I get a handshake exception and from the look of it its because it cannot provide the client certificate. Heres the certificate request ( above certificate is signed with the same CA as mentioned in the request)
javax.net.ssl|DEBUG|23|org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1|2022-06-28 16:34:01.595 CEST|CertificateRequest.java:692|Consuming CertificateRequest handshake message (
"CertificateRequest": {
"certificate types": [ecdsa_sign, rsa_sign, dss_sign]
"supported signature algorithms": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
"certificate authorities": [C=xxxx, L=xxxxxx, O=xxxxxxx, OU=Axxxxx, CN=xxxxxx]
}
Yet this the output
javax.net.ssl|ALL|23|org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1|2022-06-29 12:14:54.831 CEST|X509Authentication.java:246|No X.509 cert selected for RSA
javax.net.ssl|WARNING|23|org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1|2022-06-29 12:14:54.831 CEST|CertificateRequest.java:809|Unavailable authentication scheme: rsa_pkcs1_sha256
.............
javax.net.ssl|DEBUG|23|org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1|2022-06-28 16:34:01.618 CEST|CertificateMessage.java:299|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|23|org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1|2022-06-28 16:34:01.619 CEST|CertificateMessage.java:330|Produced client Certificate handshake message (
"Certificates": <empty list>
)
I have to be missing something about here that is not ok in the certificate but I can't figure out what. If anyone has any clue, I would love to hear it
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
尝试删除键盘类型的参数并更改与类似的参数
,请确保您的KAFKA服务器在SSL上运行。
启动经纪人后,您应该能够在server.log中看到类似的东西。端点(192.168.64.1,9092,宣传),SSL-&GT;端点(192.168.64.1,9093,ssl)
快速检查服务器密钥库和信任店是否正确设置了,您可以运行以下命令
openssl s_client -debug -connect localhost:9093 -tls1
Try to remove the key-store type parameter and alter your parameters something similar to
Also, make sure your KAFKA Server is running on SSL.
Once you start the broker you should be able to see something like this in the server.log with addresses: PLAINTEXT -> EndPoint(192.168.64.1,9092,PLAINTEXT),SSL -> EndPoint(192.168.64.1,9093,SSL)
To check quickly if the server keystore and truststore are setup properly you can run the following command
openssl s_client -debug -connect localhost:9093 -tls1