Open TheBestOrNothing opened 1 year ago
But I am sure that keystore password was correct.
What happend when upgrade java from 8 to 17.
The keystore was generated by the following way and the default type of keystore should be JKS, but BouncyCastleProvider read the keystore as PKCS12 type. So I guss the type of keystore and truststore should be assigned explicitly.
keytool -keystore client.keystore.jks -alias client -certreq -file client-cert-file \
-storepass client-keystore-pass
So two steps to fix the issue. Step 1: generated the keystore and truststore with PKCS12 type and BouncyCastleProvider. Please see the detailed info in the ssl/generator.sh. Step 2: add ssl.keystore.type and other properties to the kafka consumer. Please see the detailed info in the example/consumer/bob.java.
keytool -keystore client.keystore.jks -keyalg RSA -validity 365 \
-genkey -dname "CN=ubuntu" \
-alias client -storepass client-keystore-pass -storetype PKCS12 \
-provider org.bouncycastle.jce.provider.BouncyCastleProvider \
-providerPath ./bcprov-jdk18on-1.76.jar
# Export the certificate from the keystore
keytool -keystore client.keystore.jks -alias client -certreq -file client-cert-file \
-storepass client-keystore-pass -storetype PKCS12 \
-provider org.bouncycastle.jce.provider.BouncyCastleProvider \
-providerPath ./bcprov-jdk18on-1.76.jar
# Sign it with the CA
openssl x509 -req -CA ca-cert -CAkey ca-key -in client-cert-file -out client-cert-signed \
-days 365 -CAcreateserial -passin pass:ca-key-pass \
-extfile server.config
# Import both the certificate of the CA and the signed client certificate into the client keystore
keytool -keystore client.keystore.jks -alias CARoot -importcert -file ca-cert \
-storepass client-keystore-pass -storetype PKCS12 -trustcacerts -noprompt \
-provider org.bouncycastle.jce.provider.BouncyCastleProvider \
-providerPath ./bcprov-jdk18on-1.76.jar
keytool -keystore client.keystore.jks -alias client -importcert -file client-cert-signed \
-storepass client-keystore-pass -storetype PKCS12 -trustcacerts -noprompt \
-provider org.bouncycastle.jce.provider.BouncyCastleProvider \
-providerPath ./bcprov-jdk18on-1.76.jar
p.setProperty("security.providers", "org.bouncycastle.jce.provider.BouncyCastleProvider");
p.setProperty("ssl.keymanager.algorithm", "PKIX");
p.setProperty("ssl.trustmanager.algorithm", "PKIX");
p.setProperty("ssl.keystore.type", "PKCS12");
p.setProperty("ssl.truststore.type", "PKCS12");
p.setProperty("ssl.truststore.location", "/tmp/ssl/client.truststore.jks");
p.setProperty("ssl.truststore.password", "client-truststore-pass");
p.setProperty("ssl.keystore.location", "/tmp/ssl/client.keystore.jks");
p.setProperty("ssl.keystore.password", "client-keystore-pass");
p.setProperty("ssl.key.password", "client-keystore-pass");
p.setProperty("ssl.enabled.protocols", "TLSv1.2,TLSv1.1,TLSv1");
p.setProperty("ssl.client.auth", "required");
Exception in thread "main" org.apache.kafka.common.KafkaException: Failed to construct kafka consumer at org.apache.kafka.clients.consumer.KafkaConsumer.(KafkaConsumer.java:830)
at org.apache.kafka.clients.consumer.KafkaConsumer.(KafkaConsumer.java:666)
at org.apache.kafka.clients.consumer.KafkaConsumer.(KafkaConsumer.java:647)
at org.apache.kafka.clients.consumer.KafkaConsumer.(KafkaConsumer.java:627)
at io.strimzi.examples.consumer.Bob.main(Bob.java:123)
Caused by: org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /tmp/ssl/client.keystore.jks of type JKS
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:184)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:192)
at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:81)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:105)
at org.apache.kafka.clients.consumer.KafkaConsumer.(KafkaConsumer.java:738)
... 4 more
Caused by: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /tmp/ssl/client.keystore.jks of type JKS
at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.load(DefaultSslEngineFactory.java:375)
at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.(DefaultSslEngineFactory.java:347)
at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.createKeystore(DefaultSslEngineFactory.java:297)
at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.configure(DefaultSslEngineFactory.java:161)
at org.apache.kafka.common.security.ssl.SslFactory.instantiateSslEngineFactory(SslFactory.java:140)
at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:97)
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:180)
... 8 more
Caused by: java.io.IOException: keystore password was incorrect
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:242)
at java.base/java.security.KeyStore.load(KeyStore.java:1473)
at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.load(DefaultSslEngineFactory.java:372)
... 14 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 18 more