How to use Kafka with TLS peer verification turned off

About

Asked 17/6, 2019 at 22:35 Answered 18/6, 2019 at 4:8

I'm testing kafka cluster creation using let's encrypt staging certs. After creating, on my machine, I run the kafka-provided kafka-console-consumer.sh and kafka-console-producer.sh scripts. When I ran with let's encrypt production, it worked fine. But now that I'm using staging certs, I get this when I run the producer:

ERROR [Producer clientId=console-producer] Connection to node -1 (2.kafka.mysite.com/10.1.17.191:9092) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)

I use these properties for producer script:

sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="kafka" password="secret";
security.protocol=SASL_SSL
sasl.mechanism=PLAIN

I'd like to give the option to ignore TLS, and I'd like it to be some parameter I can toggle (on the cluster or on the client) to allow it. How can I achieve this? For anyone familiar with Rabbitmq, I think it's similar to VERIFY_PEER=false, aka VERIFY_NONE.

Argot answered 17/6, 2019 at 22:35 Comment(6)

Just curious, does your TLS-enabled listener still use port 9092, as shown in your message Connection to node -1 (2.kafka.mysite.com/10.1.17.191:9092...? Also, what kafka version you're on? – Affiliate 18/6, 2019 at 20:41

@Affiliate Yes, the server config has listeners: "SASL_SSL://0.0.0.0:9092" and also ssl.endpoint.identification.algorithm: "". kafa version = 2.2.0 – Argot 18/6, 2019 at 20:52

So I assume you saw #52590851. What happens if you leave blank after ssl.endpoint.identification.algorithm: (remove "")? – Affiliate 18/6, 2019 at 21:6

Sorry for posting it like that: it is indeed a blank string in the final configuration. That's just how I have it set up with Ansible, but once it gets put into the configuration via a template, it is an empty string. @Affiliate – Argot 18/6, 2019 at 22:47

Have you tried testing connection using something like openssl s_client -showcerts -debug -connect <host:port>? – Affiliate 19/6, 2019 at 13:1

Yeah, and I see that issuer=/CN=Fake LE Intermediate X1. So I expect that. I'd like to know how to configure kafka to not worry about certs, but still use encryption in transit. – Argot 19/6, 2019 at 20:35

The kafka configuration has setting

ssl.client.auth

Its value could be set as required,requested or none. You could set it to requested.his means client authentication is optional. unlike requested , if this option is set client can choose not to provide authentication information about itself

https://docs.confluent.io/current/installation/configuration/broker-configs.html

Courtnay answered 18/6, 2019 at 4:8 Comment(4)

Thank you for your response! I have already tried setting ssl.client.auth=none and that did not change the issue. I have also tried using PLAIN/PLAINTEXT for these fields: advertised.listeners, listeners, inter.broker.listener.name, sasl.enabled.mechanisms, and sasl.mechanism.inter.broker.protocol. – Argot 18/6, 2019 at 16:5

That changed my error to:

WARN [Producer clientId=console-producer] Connection to node -1 (2.kafka.mysite.com/10.1.2.3:9092) terminated during authentication. This may happen due to any of the following reasons: (1) Authentication failed due to invalid credentials with brokers older than 1.0.0, (2) Firewall blocking Kafka TLS traffic (eg it may only allow HTTPS traffic), (3) Transient network issue. (org.apache.kafka.clients.NetworkClient)

I'm positive the error isn't from #2 or #3, and even though I disabled it, I know I'm sending the right username/password. – Argot 18/6, 2019 at 16:6

@Argot Did you find any remedy for this warning? – Dubbing 21/10, 2021 at 19:17

I have the same issue. how Did you solve it? – Thievery 26/12, 2022 at 15:17

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags