KEYSTORE.JKS exists FAILED - exited with code 1

[cavemenlife]

Hello, I am trying to configure ssl to confluent kafka docker platform and getting an error while starting saying

Logs:

Command [/usr/local/bin/dub path /etc/kafka/secrets/kafka.server.keystore.jks exists] FAILED ! kafka_kafka-broker1_1_13d7835ad32d exited with code 1

[cavemenlife]

docker configuration

version: '3'

services:

zookeeper1: image: confluentinc/cp-zookeeper:5.1.0 hostname: zookeeper1 ports:

• "2181:2181"
• "2888:2888"

• "3888:3888" environment: ZOOKEEPER_SERVER_ID: 1 ZOOKEEPER_SERVERS: 0.0.0.0:2888:3888 ZOOKEEPER_CLIENT_PORT: 2181 ZOOKEEPER_TICK_TIME: 2000 logging:
  driver: "json-file" options: max-size: "10m" max-file: "3"

  volumes:

• zookeeper-data:/var/lib/zookeeper/data

• zookeeper-log:/var/lib/zookeeper/log

  kafka-broker1: image: confluentinc/cp-kafka:5.1.0 hostname: kafka-broker1: ports:

• "9092:9092"
• "9093:9093" environment: KAFKA_LISTENERS: "PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093" KAFKA_ADVERTISED_LISTENERS: "PLAINTEXT://kafkassl.com:9092,SSL://kafkassl.com:9093" KAFKA_ZOOKEEPER_CONNECT: zookeeper1:2181 KAFKA_LOG4J_LOGGERS: "kafka.controller=INFO,kafka.producer.async.DefaultEventHandler=INFO,state.change.logger=INFO" KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 2 KAFKA_AUTO_CREATE_TOPICS_ENABLE: "false" KAFKA_DELETE_TOPIC_ENABLE: "true" KAFKA_LOG_RETENTION_HOURS: 168 KAFKA_OFFSETS_RETENTION_MINUTES: 43800 KAFKA_SSL_KEYSTORE_FILENAME: kafka1.server.keystore.jks KAFKA_SSL_TRUSTSTORE_LOCATION: /ssl/kafka.server.truststore.jks KAFKA_SSL_TRUSTSTORE_PASSWORD: KAFKA_SSL_KEYSTORE_LOCATION: /ssl/kafka.server.keystore.jks KAFKA_SSL_KEYSTORE_PASSWORD: KAFKA_SSL_KEY_PASSWORD: volumes:
• kafka-data:/var/lib/kafka/data logging: driver: "json-file" options: max-size: "10m" max-file: "3" depends_on:
• zookeeper1

volumes: zookeeper-data: zookeeper-log: kafka-data:

[ybyzek]

@cavemenlife : have you seen https://github.com/confluentinc/cp-demo ? It is a good reference for a Kafka setup in Docker with SSL enabled.

[samsaida]

I am also trying to configure SSL and got the same error. Did you get the solution?

[smuryginim]

Hello! Im trying to go through instruction to setup cp-demo and get the same error. Where in the docs I can read about additional instructions?

Is it suitable for Windows users?

[djosemartine]

I am using this configuration as documentation suggested and keep getting the same error referenced above. KAFKA_SSL_KEYSTORE_LOCATION: /home/ssl/kafka.server.keystore.jks KAFKA_SSL_KEYSTORE_PASSWORD: KAFKA_SSL_KEY_PASSWORD: KAFKA_SSL_TRUSTSTORE_LOCATION: /home/ssl/kafka.server.truststore.jks KAFKA_SSL_TRUSTSTORE_PASSWORD:

[junyongz]

see this file line https://github.com/confluentinc/cp-docker-images/blob/fec6d0a8635cea1dd860e610ac19bd3ece8ad9f4/debian/kafka/include/etc/confluent/docker/configure#L70

KAFKA_SSL_KEYSTORE_LOCATION is hard coded to export KAFKA_SSL_KEYSTORE_LOCATION="/etc/kafka/secrets/$KAFKA_SSL_KEYSTORE_FILENAME"

Meaning, you can't customize the value for KAFKA_SSL_KEYSTORE_LOCATION

[danielreoli]

These steps worked for me in Windows:

1 - Generate keys using Windows WSL:

cd $(pwd)/examples/kafka-cluster-ssl/secrets ./create-certs.sh (Type yes for all "Trust this certificate? [no]:" prompts.)

2 - Set the environment variable KAFKA_SSL_SECRETS_DIR using PowerShell:

$env:KAFKA_SSL_SECRETS_DIR= "xxxx\cp-docker-images\examples\kafka-cluster-ssl\secrets"

3 - Use the environment variable to run kafka-ssl cluster node:

docker run -d --net=host --name=kafka-ssl-1 -e KAFKA_ZOOKEEPER_CONNECT=localhost:22181,localhost:32181,localhost:42181 -e KAFKA_ADVERTISED_LISTENERS=SSL://localhost:29092 -e KAFKA_SSL_KEYSTORE_FILENAME=kafka.broker1.keystore.jks -e KAFKA_SSL_KEYSTORE_CREDENTIALS=broker1_keystore_creds -e KAFKA_SSL_KEY_CREDENTIALS=broker1_sslkey_creds -e KAFKA_SSL_TRUSTSTORE_FILENAME=kafka.broker1.truststore.jks -e KAFKA_SSL_TRUSTSTORE_CREDENTIALS=broker1_truststore_creds -e KAFKA_SECURITY_INTER_BROKER_PROTOCOL=SSL -v ${env:KAFKA_SSL_SECRETS_DIR}:/etc/kafka/secrets confluentinc/cp-kafka:5.0.0