Open 3g0r opened 1 year ago
thanks for the report @3g0r. i would have expected that in both the rpk and rdkafka cases that the client configuration would be pointing at some certificates for the client to use when connecting. are those missing or are they being picked up some some how?
also, fyi, github issues is generally used for reporting bugs. we have a slack https://redpanda.com/slack for troubleshooting stuff like this.
Hi dotnwat! Thank you for answer. Before we continue, I should move the issue/discussions into redpanda.com/slack?
some certificates for the client to use when connecting
No, not missing - I don't use any explicit certificates for client. In server side it is standard DNS+TLS configuration like for https setup. That approach works with kafka cluster + rdkafka client, and also it works with redpanda cluster
Capturing on 'eth0'
1 0.000000000 172.20.0.3 ? 192.168.65.5 DNS 105 Standard query 0x96bd A redpanda-0.my-public-domain-name
2 0.003063216 192.168.65.5 ? 172.20.0.3 DNS 222 Standard query response 0x96bd A redpanda-0.my-public-domain-name CNAME 185.187.91.228.nip.io A 185.187.91.228
3 0.004262950 172.20.0.3 ? 185.187.91.228 TCP 74 34926 ? 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2051805249 TSecr=0 WS=128
4 0.069407040 185.187.91.228 ? 172.20.0.3 TCP 62 443 ? 34926 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=4
5 0.069461825 172.20.0.3 ? 185.187.91.228 TCP 54 34926 ? 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0
6 0.069782439 172.20.0.3 ? 185.187.91.228 TLSv1 391 Client Hello
7 0.070067825 185.187.91.228 ? 172.20.0.3 TCP 54 443 ? 34926 [ACK] Seq=1 Ack=338 Win=262140 Len=0
8 0.152257087 185.187.91.228 ? 172.20.0.3 TLSv1.3 187 Server Hello, Change Cipher Spec
9 0.152282328 172.20.0.3 ? 185.187.91.228 TCP 54 34926 ? 443 [ACK] Seq=338 Ack=134 Win=64128 Len=0
10 0.153618448 185.187.91.228 ? 172.20.0.3 TLSv1.3 1414 Encrypted Extensions
11 0.153655108 172.20.0.3 ? 185.187.91.228 TCP 54 34926 ? 443 [ACK] Seq=338 Ack=1494 Win=64128 Len=0
12 0.154074133 185.187.91.228 ? 172.20.0.3 TCP 1414 443 ? 34926 [PSH, ACK] Seq=1494 Ack=338 Win=262140 Len=1360 [TCP segment of a reassembled PDU]
13 0.154099777 172.20.0.3 ? 185.187.91.228 TCP 54 34926 ? 443 [ACK] Seq=338 Ack=2854 Win=64128 Len=0
14 0.155696226 185.187.91.228 ? 172.20.0.3 TLSv1.3 1514 Certificate [TCP segment of a reassembled PDU]
15 0.155714216 172.20.0.3 ? 185.187.91.228 TCP 54 34926 ? 443 [ACK] Seq=338 Ack=4314 Win=64128 Len=0
16 0.155763560 185.187.91.228 ? 172.20.0.3 TLSv1.3 355 Certificate Verify, Finished
17 0.155803984 172.20.0.3 ? 185.187.91.228 TCP 54 34926 ? 443 [ACK] Seq=338 Ack=4615 Win=63872 Len=0
18 0.157066246 172.20.0.3 ? 185.187.91.228 TLSv1.3 134 Change Cipher Spec, Finished
@3g0r is this issue still happening, or did you get resolution elsewhere?
The log makes me a bit suspicious that something is going wrong with whatever is forwarding from the public :443 port to redpanda's :9094 port: we can see the client successfully speaking TLS to its seed broker initially, but then when it tries opening a connection to another broker, it's somehow hitting a non-tls port.
Version & Environment
Redpanda version: (use
rpk version
):v22.2.7 (rev 96ed1cc)
Please also give versions of other components:
/etc/os-release
):docker info
):kubectl version
):What went wrong?
Hi, evryone. I test redpanda k8s cluster with the intention for migrate from kafka. In the beginning I tested it in docker-compose without traffic encryption, only with sasl authentication, and it had worked like a charm. But when I had migrated my configuration into k8s env and had enabled tls for one public listener (without mTls authentication), my rdkafka clients couldn't connect to redpanda cluster. I can't figure out why. My attempts to investigate have been unsuccessful.
I tried to take and decrypt traffic with tshark, and I think authentication passed success, but in the next step my clients fallen with
'[thrd:GroupCoordinator]: GroupCoordinator/0: my-public-domain-name.:443: SSL handshake failed: Disconnected: connecting to a PLAINTEXT broker listener? (after 86ms in state SSL_HANDSHAKE, 1 identical error(s) suppressed) (_TRANSPORT): identical to last error'
And another wired details: I can connect to redpanda cluster from my pc through rpk cli tool
What should have happened instead?
I was hoping it should work without any problems.
How to reproduce the issue?
redpanda.yaml
helm installation hook
helm update hook
node-rdkafka: "^2.14.0" settings
Additional information
Please attach any relevant logs, backtraces, or metric charts.
Not any wired logs for panda cluster in standard log level. rdkafka client:
JIRA Link: CORE-1096