Kafka 控制器无法连接到代理

Question

我有一个 3 节点 Kafka 集群（版本 0.10.1.0）。我已按照kafka security documentation 上的步骤进行操作。这是我的其中一台 Kafka 服务器的相关配置。

listeners=SSL://myhostname:9093
security.inter.broker.protocol=SSL
advertised.listeners=SSL://myhostname:9093
# In order to enable hostname verification
ssl.endpoint.identification.algorithm=HTTPS

ssl.client.auth=required

# certificate file locations
ssl.keystore.location=/location/server1.keystore.jks
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.truststore.location=/location/server.truststore.jks
ssl.truststore.password=changeit

# Supported TLS versions
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1

我为我的所有 Kafka 服务器定义了 3 个不同的密钥库，并使用相同的 CA 对它们进行了签名。当我启动 Kafka 服务器时，控制器日志会不断记录以下警告日志。

WARN [Controller-0-to-broker-2-send-thread], Controller 0's connection to broker host3:9093 (id: 2 rack: null) was unsuccessful (kafka.controller.RequestSendThread)
java.io.IOException: Connection to host3:9093 (id: 2 rack: null) failed
    at kafka.utils.NetworkClientBlockingOps$.awaitReady$1(NetworkClientBlockingOps.scala:83)
    at kafka.utils.NetworkClientBlockingOps$.blockingReady$extension(NetworkClientBlockingOps.scala:93)
    at kafka.controller.RequestSendThread.brokerReady(ControllerChannelManager.scala:230)
    at kafka.controller.RequestSendThread.liftedTree1$1(ControllerChannelManager.scala:182)
    at kafka.controller.RequestSendThread.doWork(ControllerChannelManager.scala:181)
    at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:63)
WARN [Controller-0-to-broker-0-send-thread], Controller 0's connection to broker host1:9093 (id: 0 rack: null) was unsuccessful (kafka.controller.RequestSendThread)
java.io.IOException: Connection to host1:9093 (id: 0 rack: null) failed
    at kafka.utils.NetworkClientBlockingOps$.awaitReady$1(NetworkClientBlockingOps.scala:83)
    at kafka.utils.NetworkClientBlockingOps$.blockingReady$extension(NetworkClientBlockingOps.scala:93)
    at kafka.controller.RequestSendThread.brokerReady(ControllerChannelManager.scala:230)
    at kafka.controller.RequestSendThread.liftedTree1$1(ControllerChannelManager.scala:182)
    at kafka.controller.RequestSendThread.doWork(ControllerChannelManager.scala:181)
    at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:63)
WARN [Controller-0-to-broker-1-send-thread], Controller 0's connection to broker host2:9093 (id: 1 rack: null) was unsuccessful (kafka.controller.RequestSendThread)
java.io.IOException: Connection to host2:9093 (id: 1 rack: null) failed
    at kafka.utils.NetworkClientBlockingOps$.awaitReady$1(NetworkClientBlockingOps.scala:83)
    at kafka.utils.NetworkClientBlockingOps$.blockingReady$extension(NetworkClientBlockingOps.scala:93)
    at kafka.controller.RequestSendThread.brokerReady(ControllerChannelManager.scala:230)
    at kafka.controller.RequestSendThread.liftedTree1$1(ControllerChannelManager.scala:182)
    at kafka.controller.RequestSendThread.doWork(ControllerChannelManager.scala:181)
    at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:63)

在我看来，这比警告更严重。

你知道可能是什么问题吗？

提前致谢。

Answer 1

我发现了问题，它与证书创建有关。参考Confluent's documentation上面写着：

确保公用名 (CN) 与全限定名完全匹配 服务器的域名 (FQDN)。客户端将 CN 与 DNS 域名，以确保它确实连接到所需的 服务器，而不是恶意服务器。

我重新生成了证书并且成功了！