1

I have 3 nodes of Kafka cluster in the Windows environment. I have recently added security to this existing cluster with the SASL_SSL mechanism.

Here is my server.properties security configurations on each node:

authroizer.class.name=kafka.security.auth.SimpleAclAuthorizer
security.inter.broker.protocol=SASL_SSL
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
ssl.client.auth=required
ssl.enabled.protocols=TLSv1.2
ssl.endpoint.identification.algorithm=

ssl.truststore.location=kafka-truststore.jks
ssl.truststore.password=******
ssl.keystore.location=kafka.keystore.jks
ssl.keystore.password=******
ssl.key.password=******

Everything is working fine. I am able to store and retrieve messages. Kafka stream applications are properly connected. But from yesterday I am getting continuous logs on all three nodes as

INFO [SocketServer brokerId=2] Failed authentication with host.docker.internal/ip (SSL handshake failed) (org.apache.kafka.common.network.Selector)

As the log says broker with id 2 is refusing the SSL handshake from the other brokers i.e. 1 & 3. I have verified the jks certificates and they all are valid. Did anyone know the reason for such logs?

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
Namrata Khobragade
  • 67
  • 6
  • 1
    I assume everything still works fine, right? (given that it is also reported as `INFO`). One way to try and find more about this is to change log level to `verbose` for these particular logs: `export KAFKA_OPTS="-Djavax.net.debug=ssl:handshake:verbose"` – Giorgos Myrianthous Nov 27 '20 at 13:49

1 Answers1

0

This happens when there is an issue with the client's certificate. It might be expired or not contain the whole certificate chain. Add the following to your log4j.properties if you want to keep the messages but don't want it clogging up your server.log

log4j.appender.sslHandshakeAppender=org.apache.log4j.RollingFileAppender
log4j.appender.sslHandshakeAppender.MaxFileSize=100MB
log4j.appender.sslHandshakeAppender.MaxBackupIndex=10
log4j.appender.sslHandshakeAppender.Append=true
log4j.appender.sslHandshakeAppender.File=${kafka.logs.dir}/ssl-handshake.log
log4j.appender.sslHandshakeAppender.layout=org.apache.log4j.PatternLayout
log4j.appender.sslHandshakeAppender.layout.ConversionPattern=[%d] %p %m (%c)%n

log4j.logger.org.apache.kafka.common.network.Selector=INFO, sslHandshakeAppender
log4j.additivity.org.apache.kafka.common.network.Selector=false
Mark Moniz
  • 1
  • 1