Hi,
I'm trying to configure a secure connection (SSL) between my beat (metricbeat windows) and kafka server, but the handshake is failing.
Is my configuration metricbeat.yml
OK?
output.kafka:
# Active
enabled: true
# The Kafka hosts
hosts: ["<serverName>:9093"]
# Topics
topic: 'windowstest'
# SSL
# Kafka main certificate (ca)
ssl.certificate_authorities: ["<path>/ca_cert.pem"]
# Beat certificate that was certificated by kafka main certificate
ssl.certificate: "<path>/beat_cert.pem"
# Beat certificate Key
ssl.key: "<path>/beat_cert.key"
# Client Certificate Passphrase
#ssl.key_passphrase: "passwd"
The configuration properties in my kafka server are the following ones:
File server.properties
:
# Listeners with SSL
listeners=PLAINTEXT://<serverName>:9092,SSL://<serverName>:9093
# SSL
ssl.truststore.location=/etc/pki/tls/kafka.server.truststore.jks
ssl.truststore.password=passwd
ssl.keystore.location=/etc/pki/tls/kafka.server.keystore.jks
ssl.keystore.password=passwd
ssl.password=passwd
ssl.client.auth=required
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
File consumer.properties
:
# SSL
security.protocol=SSL
ssl.truststore.location=/etc/pki/tls/kafka.client.truststore.jks
ssl.truststore.password=passwd
ssl.keystore.location=/etc/pki/tls/kafka.client.keystore.jks
ssl.keystore.password=passwd
ssl.password=passwd
File producer.properties
:
# SSL
security.protocol=SSL
ssl.truststore.location=/etc/pki/tls/kafka.client.truststore.jks
ssl.truststore.password=passwd
ssl.keystore.location=/etc/pki/tls/kafka.client.keystore.jks
ssl.keystore.password=passwd
ssl.password=passwd
If it helps, this is the response of my server (openssl s_client -debug -connect <serverName>:9093 -tls1
):
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: <id>
Session-ID-ctx:
Master-Key: <id>
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1615812929
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: yes
I have been trying different configurations, but no ones worked. Any idea how can I solve it?
Thanks