8
zookeeper开启ssl
source link: https://blog.51cto.com/u_13236892/5507601
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
zookeeper开启ssl
原创一、搭建zookeeper
二、使用openssl和keytool生成客户端和服务端证书
三、zookeeper配置ssl
1、简单证书生成
keytool -genkeypair -alias certificatekey -keyalg RSA -validity 3650 -keystore keystore.jks
keytool -list -v -keystore keystore.jks
keytool -export -alias certificatekey -keystore keystore.jks -rfc -file selfsignedcert.cer
keytool -import -alias certificatekey -file selfsignedcert.cer -keystore truststore.jks
keytool -list -v -keystore truststore.jks
firstname必须填写当前主机的hostname
keytool -list -v -keystore keystore.jks
keytool -export -alias certificatekey -keystore keystore.jks -rfc -file selfsignedcert.cer
keytool -import -alias certificatekey -file selfsignedcert.cer -keystore truststore.jks
keytool -list -v -keystore truststore.jks
firstname必须填写当前主机的hostname
2、服务端添加ssl
有两种方式
1、添加到配置文件
在zoo.cfg里面添加
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.keyStore.location=/data/zookeeper/cert/keystore.jks
ssl.keyStore.password=123456
ssl.trustStore.location=/data/zookeeper/cert/truststore.jks
ssl.trustStore.password=123456
2、以变量的形式添加
在zkServer.sh开头添加
export SERVER_JVMFLAGS="
-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
-Dzookeeper.ssl.keyStore.location=/data/zookeeper/cert/keystore.jks
-Dzookeeper.ssl.keyStore.password=123456
-Dzookeeper.ssl.trustStore.location=/data/zookeeper/cert/truststore.jks
-Dzookeeper.ssl.trustStore.password=123456"
1、添加到配置文件
在zoo.cfg里面添加
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.keyStore.location=/data/zookeeper/cert/keystore.jks
ssl.keyStore.password=123456
ssl.trustStore.location=/data/zookeeper/cert/truststore.jks
ssl.trustStore.password=123456
2、以变量的形式添加
在zkServer.sh开头添加
export SERVER_JVMFLAGS="
-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
-Dzookeeper.ssl.keyStore.location=/data/zookeeper/cert/keystore.jks
-Dzookeeper.ssl.keyStore.password=123456
-Dzookeeper.ssl.trustStore.location=/data/zookeeper/cert/truststore.jks
-Dzookeeper.ssl.trustStore.password=123456"
2、配置文件添加安全端口
zoo.cfg需要额外添加安全端口
secureClientPort=2183
为了防止全网监听
secureClientPortAddress=192.168.10.133
secureClientPort=2183
为了防止全网监听
secureClientPortAddress=192.168.10.133
3、启动服务
./zkServer.sh start
4、配置zkCli.sh连接
首先测试连接普通端口
./zkCli.sh -server 192.168.10.133:2181
没有问题以后在zkCli.sh开头添加配置
export CLIENT_JVMFLAGS="
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.client.secure=true
-Dzookeeper.ssl.hostnameVerification=false
-Dzookeeper.ssl.keyStore.location=/data/zookeeper/cert/keystore.jks
-Dzookeeper.ssl.keyStore.password=123456
-Dzookeeper.ssl.trustStore.location=/data/zookeeper/cert/truststore.jks
-Dzookeeper.ssl.trustStore.password=123456"
###注意
此处keyStore、trustStore都是S大写,后面kafka配置必须是小写
然后测试连接
./zkCli.sh -server 192.168.10.133:2183
第一次日志报错:
"Cannot support TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 with currently installed providers"
怀疑是jdk版本太低引起的
当前版本为jdk1.8.0_151,升级到jdk1.8.0_221再次测试
./zkCli.sh -server 192.168.10.133:2181
日志不在报错,正常连接
./zkCli.sh -server 192.168.10.133:2181
没有问题以后在zkCli.sh开头添加配置
export CLIENT_JVMFLAGS="
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.client.secure=true
-Dzookeeper.ssl.hostnameVerification=false
-Dzookeeper.ssl.keyStore.location=/data/zookeeper/cert/keystore.jks
-Dzookeeper.ssl.keyStore.password=123456
-Dzookeeper.ssl.trustStore.location=/data/zookeeper/cert/truststore.jks
-Dzookeeper.ssl.trustStore.password=123456"
###注意
此处keyStore、trustStore都是S大写,后面kafka配置必须是小写
然后测试连接
./zkCli.sh -server 192.168.10.133:2183
第一次日志报错:
"Cannot support TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 with currently installed providers"
怀疑是jdk版本太低引起的
当前版本为jdk1.8.0_151,升级到jdk1.8.0_221再次测试
./zkCli.sh -server 192.168.10.133:2181
日志不在报错,正常连接
四、配置kafka连接zookeeper
zookeeper.connect=192.168.10.133:2183
zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
zookeeper.ssl.client.enable=true
zookeeper.ssl.hostnameVerification=false
zookeeper.ssl.keystore.location=/data/zookeeper/cert/zookeeper.server.keystore.p12
zookeeper.ssl.keystore.password=123456
zookeeper.ssl.truststore.location=/data/zookeeper/cert/zookeeper.server.truststore.p12
zookeeper.ssl.truststore.password=123456
zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
zookeeper.ssl.client.enable=true
zookeeper.ssl.hostnameVerification=false
zookeeper.ssl.keystore.location=/data/zookeeper/cert/zookeeper.server.keystore.p12
zookeeper.ssl.keystore.password=123456
zookeeper.ssl.truststore.location=/data/zookeeper/cert/zookeeper.server.truststore.p12
zookeeper.ssl.truststore.password=123456
五、问题汇总
1、jdk版本导致加密不支持
"Cannot support TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 with currently installed providers"
当前:java version "1.8.0_151"
升级到java version "1.8.0_221"
重启zookeeper,重新连接测试
当前:java version "1.8.0_151"
升级到java version "1.8.0_221"
重启zookeeper,重新连接测试
2、kafka连接配置引起报错
[2022-07-23 17:53:00,002] WARN Session 0x0 for sever k8s03/192.168.10.133:2183, Closing socket connection. Attempting reconnect except it is a SessionExpiredException. (org.apache.zookeeper.ClientCnxn)
EndOfStreamException: Unable to read additional data from server sessionid 0x0, likely server has closed socket
at org.apache.zookeeper.ClientCnxnSocketNIO.doIO(ClientCnxnSocketNIO.java:77)
at org.apache.zookeeper.ClientCnxnSocketNIO.doTransport(ClientCnxnSocketNIO.java:350)
at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1290)
如果zookeeper的zkCli.sh正常连接,而kafka连接报错,可以考虑排查连接配置
zkCli.sh有一行配置:zookeeper.client.secure=true
但是kafka配置是:zookeeper.ssl.client.enable=true
千万别搞混了,搞混了就会报这个错
EndOfStreamException: Unable to read additional data from server sessionid 0x0, likely server has closed socket
at org.apache.zookeeper.ClientCnxnSocketNIO.doIO(ClientCnxnSocketNIO.java:77)
at org.apache.zookeeper.ClientCnxnSocketNIO.doTransport(ClientCnxnSocketNIO.java:350)
at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1290)
如果zookeeper的zkCli.sh正常连接,而kafka连接报错,可以考虑排查连接配置
zkCli.sh有一行配置:zookeeper.client.secure=true
但是kafka配置是:zookeeper.ssl.client.enable=true
千万别搞混了,搞混了就会报这个错
3、证书域名问题
"Certificate for <k8s03> doesn't match common name of the certificate subject: localhost"
"javax.net.ssl.SSLHandshakeException: General SSLEngine problem"
"Failed to verify both host address and host name"
证书设置的firstname为localhost,和hostname(k8s03)不对应
重新签发证书,并配置firstname为hostname
"javax.net.ssl.SSLHandshakeException: General SSLEngine problem"
"Failed to verify both host address and host name"
证书设置的firstname为localhost,和hostname(k8s03)不对应
重新签发证书,并配置firstname为hostname
4、证书配置错误
"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target"
注意zkCli.sh配置
-Dzookeeper.ssl.keyStore.location=
-Dzookeeper.ssl.keyStore.password=
-Dzookeeper.ssl.trustStore.location=
-Dzookeeper.ssl.trustStore.password=
keyStore和trustStore中Store的S是大写,如果换成小写就报错连不上zookeeper服务
注意kafka的server.properties
zookeeper.ssl.keystore.location=
zookeeper.ssl.keystore.password=
zookeeper.ssl.truststore.location=
zookeeper.ssl.truststore.password=
keystore和truststore中store的s都是小写,如果写成大写会启动先报以下警告:
"WARN zookeeper.ssl.keyStore.location not specified (org.apache.zookeeper.common.X509Util)"
"WARN zookeeper.ssl.trustStore.location not specified (org.apache.zookeeper.common.X509Util)"
unable to find valid certification path to requested target"
注意zkCli.sh配置
-Dzookeeper.ssl.keyStore.location=
-Dzookeeper.ssl.keyStore.password=
-Dzookeeper.ssl.trustStore.location=
-Dzookeeper.ssl.trustStore.password=
keyStore和trustStore中Store的S是大写,如果换成小写就报错连不上zookeeper服务
注意kafka的server.properties
zookeeper.ssl.keystore.location=
zookeeper.ssl.keystore.password=
zookeeper.ssl.truststore.location=
zookeeper.ssl.truststore.password=
keystore和truststore中store的s都是小写,如果写成大写会启动先报以下警告:
"WARN zookeeper.ssl.keyStore.location not specified (org.apache.zookeeper.common.X509Util)"
"WARN zookeeper.ssl.trustStore.location not specified (org.apache.zookeeper.common.X509Util)"
- 赞
- 收藏
- 评论
- 分享
- 举报
Recommend
-
141
Nginx 教程 #3:SSL 设置
-
51
程序员 - @luzhongqiu - ssl 证书好贵啊, 阿里,腾讯等,都在 2 千到 2w 不等, 各位老铁有办法便宜的 ssl 证书能过小程序审核的?
-
46
-
50
-
49
作者 | 黄超 杏仁运维工程师,关注容器技术和自动化运维。 前言 当今随着人们对网络安全意识的增强,越来越多的网...
-
44
TLS 传输层安全性协议(Transport Layer Security)及其前身 SSL 安全套接层(Secure Sockets Layer)是一种安全协议,目的是为互联网通信提供安全及数据完整性保障, TLS/SSL 协议位于网络O...
-
44
每天的日常编码工作:就是解决一个问题的时候再创造另外一个问题 Orz….. 话说刚才生成一个私钥的时候, Python3绑定libssl1.1 又崩了;正在痛苦思考中~~~ 现在有两个选择: 放弃ssl动态库调用,反正我只用ECDS...
-
32
本文参考: charles SSL代理设置 charles SSL代理设置 SSL Proxying Srtting 这里最常用的设置就是第一个ssl pro...
-
34
国密算法最好的应用场景应该是SSL/TLS通信,然而国密文档中并没有单独规范SSL/TLS协议,我们能参考的只有《GM/T 0024-2014 SSL VPN 技术规范》。这份文档并没有像RFC那样描述得很详细,在实现上可能会存在很多不清楚的地方。很多时候,我...
-
4
使用openssl制作证书密钥在服务器中新建一个目录,并切换到该目录下mkdir /etc/docker && cd /etc/docker 创建根证书RSA私钥openssl genrsa -aes256 -out ca-key.pem...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK