search

confluentinc / schema-registry

Confluent Schema Registry for Kafka
https://docs.confluent.io/current/schema-registry/docs/index.html
Other
2.23k stars 1.12k forks source link

Configuring mTLS on Schema Registry #1909

Open vepo opened 3 years ago

vepo commented 3 years ago

How to configure Schema Registry on a cluster that only accepts mTLS?

I'm using the following docker-compose.yaml and I'm getting the following exception. I cannot find any valid configuration that can allow me to create a stable Kafka Cluster with mTLS.

---
version: '2'
services:
  zookeeper:
    image: confluentinc/cp-zookeeper:5.5.0-mod
    build:
      context: .
      dockerfile: Dockerfile-zookeeper
    hostname: zookeeper
    container_name: zookeeper
    ports:
      - '32181:32181'
    environment:
      ZOOKEEPER_CLIENT_PORT: 32181
      ZOOKEEPER_TICK_TIME: 2000
      ZOOKEEPER_SECURE_CLIENT_PORT: 32182
      ZOOKEEPER_SERVER_CNXN_FACTORY: org.apache.zookeeper.server.NettyServerCnxnFactory
      ZOOKEEPER_SSL_KEYSTORE_LOCATION: /etc/zookeeper/secrets/zookeeper.server.keystore.jks
      ZOOKEEPER_SSL_KEYSTORE_PASSWORD: password
      ZOOKEEPER_SSL_KEY_PASSWORD: password
      ZOOKEEPER_SSL_TRUSTSTORE_LOCATION: /etc/zookeeper/secrets/zookeeper.server.truststore.jks
      ZOOKEEPER_SSL_TRUSTSTORE_PASSWORD: password
      ZOOKEEPER_SSL_CLIENT_AUTH: want
    extra_hosts:
      - "moby:127.0.0.1"

  kafka:
    image: confluentinc/cp-enterprise-kafka:5.5.0-mod
    build:
      context: .
      dockerfile: Dockerfile-kafka
    hostname: kafka
    container_name: kafka
    ports:
      - '9092:9092'
    depends_on:
      - zookeeper
    environment:
      KAFKA_BROKER_ID: 1
      KAFKA_ZOOKEEPER_CONNECT: zookeeper:32182
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: SSL:SSL
      KAFKA_INTER_BROKER_LISTENER_NAME: SSL
      KAFKA_ADVERTISED_LISTENERS: SSL://kafka:29092
      KAFKA_AUTO_CREATE_TOPICS_ENABLE: "true"
      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
      KAFKA_SSL_KEYSTORE_FILENAME: kafka.server.keystore.jks
      KAFKA_SSL_KEYSTORE_CREDENTIALS: password
      KAFKA_SSL_KEY_CREDENTIALS: password
      KAFKA_SSL_TRUSTSTORE_FILENAME: kafka.server.truststore.jks
      KAFKA_SSL_TRUSTSTORE_CREDENTIALS: password
      KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: " "
      KAFKA_SSL_CLIENT_AUTH: required
      KAFKA_OPTS: -Djavax.net.debug=ssl:handshake -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
      KAFKA_ZOOKEEPER_SSL_CLIENT_ENABLE: "true"
      #KAFKA_ZOOKEEPER_CLIENT_CNXN_SOCKET: org.apache.zookeeper.ClientCnxnSocketNetty
      KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/zookeeper.client.truststore.jks
      KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_PASSWORD: password
    extra_hosts:
      - "moby:127.0.0.1"

  schema-registry:
    image: confluentinc/cp-schema-registry:5.5.0-mod
    build:
      context: .
      dockerfile: Dockerfile-schema-registry
    hostname: schema-registry
    container_name: schema-registry
    depends_on:
      - zookeeper
      - kafka
    ports:
      - '8082:8082'
    environment:
      SCHEMA_REGISTRY_HOST_NAME: schema-registry
      SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: SSL://kafka:29092
      SCHEMA_REGISTRY_KAFKASTORE_SECURITY_PROTOCOL: SSL
      SCHEMA_REGISTRY_KAFKASTORE_SSL_TRUSTSTORE_LOCATION: /etc/schema-registry/secrets/kafka.client.truststore.jks
      SCHEMA_REGISTRY_KAFKASTORE_SSL_TRUSTSTORE_PASSWORD: password
      SCHEMA_REGISTRY_KAFKASTORE_SSL_KEYSTORE_LOCATION: /etc/schema-registry/secrets/schema-registry.server.keystore.jks
      SCHEMA_REGISTRY_KAFKASTORE_SSL_KEYSTORE_PASSWORD: password
      SCHEMA_REGISTRY_KAFKASTORE_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: "HTTPS"
      SCHEMA_REGISTRY_KAFKASTORE_SSL_KEY_PASSWORD: password
      SCHEMA_REGISTRY_LISTENERS: https://0.0.0.0:8082
      SCHEMA_REGISTRY_INTER_INSTANCE_PROTOCOL: https
      SCHEMA_REGISTRY_SSL_KEYSTORE_LOCATION: /etc/schema-registry/secrets/schema-registry.server.keystore.jks
      SCHEMA_REGISTRY_SSL_KEYSTORE_PASSWORD: password
      SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION: /etc/schema-registry/secrets/schema-registry.server.truststore.jks
      SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD: password
      SCHEMA_REGISTRY_SSL_CLIENT_AUTH: "true"
      SCHEMA_REGISTRY_SECURITY_PROTOCOL: SSL
      SCHEMA_REGISTRY_CONFLUENT_REST_AUTH_PROPAGATE_METHOD: SSL
    extra_hosts:
      - "moby:127.0.0.1"
[kafka-admin-client-thread | adminclient-1] INFO org.apache.kafka.common.network.Selector - [AdminClient clientId=adminclient-1] Failed authentication with kafka/172.19.0.3 (SSL handshake failed)
[kafka-admin-client-thread | adminclient-1] ERROR org.apache.kafka.clients.NetworkClient - [AdminClient clientId=adminclient-1] Connection to node -1 (kafka/172.19.0.3:29092) failed authentication due to: SSL handshake failed
[kafka-admin-client-thread | adminclient-1] WARN org.apache.kafka.clients.admin.internals.AdminMetadataManager - [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2
        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1530)
        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802)
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
        at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:504)
        at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:363)
        at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:286)
        at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:174)
        at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547)
        at org.apache.kafka.common.network.Selector.poll(Selector.java:485)
        at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:550)
        at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1272)
        at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1203)
        at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2
        at sun.security.ssl.HandshakeStateManager.check(HandshakeStateManager.java:362)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:196)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
        at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:425)
        at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:509)
        ... 9 more
mingmingshiliyu commented 1 year ago

did you resolve this?