Failed to construct kafka consumer when running bob

[TheBestOrNothing]

Exception in thread "main" org.apache.kafka.common.KafkaException: Failed to construct kafka consumer         at org.apache.kafka.clients.consumer.KafkaConsumer.(KafkaConsumer.java:830)         at org.apache.kafka.clients.consumer.KafkaConsumer.(KafkaConsumer.java:666)         at org.apache.kafka.clients.consumer.KafkaConsumer.(KafkaConsumer.java:647)         at org.apache.kafka.clients.consumer.KafkaConsumer.(KafkaConsumer.java:627)         at io.strimzi.examples.consumer.Bob.main(Bob.java:123) Caused by: org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /tmp/ssl/client.keystore.jks of type JKS         at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:184)         at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:192)         at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:81)         at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:105)         at org.apache.kafka.clients.consumer.KafkaConsumer.(KafkaConsumer.java:738) ... 4 more Caused by: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /tmp/ssl/client.keystore.jks of type JKS         at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.load(DefaultSslEngineFactory.java:375)         at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.(DefaultSslEngineFactory.java:347)         at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.createKeystore(DefaultSslEngineFactory.java:297)         at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.configure(DefaultSslEngineFactory.java:161)         at org.apache.kafka.common.security.ssl.SslFactory.instantiateSslEngineFactory(SslFactory.java:140)         at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:97)         at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:180) ... 8 more Caused by: java.io.IOException: keystore password was incorrect         at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)         at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:242)         at java.base/java.security.KeyStore.load(KeyStore.java:1473)         at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.load(DefaultSslEngineFactory.java:372) ... 14 more Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. ... 18 more

[TheBestOrNothing]

But I am sure that keystore password was correct.

[TheBestOrNothing]

What happend when upgrade java from 8 to 17.

[TheBestOrNothing]

The keystore was generated by the following way and the default type of keystore should be JKS, but BouncyCastleProvider read the keystore as PKCS12 type. So I guss the type of keystore and truststore should be assigned explicitly.

keytool -keystore client.keystore.jks -alias client -certreq -file client-cert-file \
        -storepass client-keystore-pass

[TheBestOrNothing]

So two steps to fix the issue. Step 1: generated the keystore and truststore with PKCS12 type and BouncyCastleProvider. Please see the detailed info in the ssl/generator.sh. Step 2: add ssl.keystore.type and other properties to the kafka consumer. Please see the detailed info in the example/consumer/bob.java.

keytool -keystore client.keystore.jks -keyalg RSA -validity 365  \
        -genkey -dname "CN=ubuntu" \
        -alias client -storepass client-keystore-pass -storetype PKCS12 \
        -provider org.bouncycastle.jce.provider.BouncyCastleProvider \
        -providerPath ./bcprov-jdk18on-1.76.jar

# Export the certificate from the keystore
keytool -keystore client.keystore.jks -alias client -certreq -file client-cert-file \
        -storepass client-keystore-pass -storetype PKCS12 \
        -provider org.bouncycastle.jce.provider.BouncyCastleProvider \
        -providerPath ./bcprov-jdk18on-1.76.jar

# Sign it with the CA
openssl x509 -req -CA ca-cert -CAkey ca-key -in client-cert-file -out client-cert-signed \
        -days 365 -CAcreateserial -passin pass:ca-key-pass \
        -extfile server.config

# Import both the certificate of the CA and the signed client certificate into the client keystore
keytool -keystore client.keystore.jks -alias CARoot -importcert -file ca-cert \
        -storepass client-keystore-pass -storetype PKCS12 -trustcacerts -noprompt \
        -provider org.bouncycastle.jce.provider.BouncyCastleProvider \
        -providerPath ./bcprov-jdk18on-1.76.jar

keytool -keystore client.keystore.jks -alias client -importcert -file client-cert-signed \
        -storepass client-keystore-pass -storetype PKCS12 -trustcacerts -noprompt \
        -provider org.bouncycastle.jce.provider.BouncyCastleProvider \
        -providerPath ./bcprov-jdk18on-1.76.jar

        p.setProperty("security.providers", "org.bouncycastle.jce.provider.BouncyCastleProvider");
        p.setProperty("ssl.keymanager.algorithm", "PKIX");
        p.setProperty("ssl.trustmanager.algorithm", "PKIX");
        p.setProperty("ssl.keystore.type", "PKCS12");
        p.setProperty("ssl.truststore.type", "PKCS12");

        p.setProperty("ssl.truststore.location", "/tmp/ssl/client.truststore.jks");
        p.setProperty("ssl.truststore.password", "client-truststore-pass");
        p.setProperty("ssl.keystore.location", "/tmp/ssl/client.keystore.jks");
        p.setProperty("ssl.keystore.password", "client-keystore-pass");
        p.setProperty("ssl.key.password", "client-keystore-pass");
        p.setProperty("ssl.enabled.protocols", "TLSv1.2,TLSv1.1,TLSv1");
        p.setProperty("ssl.client.auth", "required");