Metricbeat - SSL Kafka Output (Failed authentication)

marti1 · March 15, 2021, 12:32pm

Hi,
I'm trying to configure a secure connection (SSL) between my beat (metricbeat windows) and kafka server, but the handshake is failing.

Is my configuration metricbeat.yml OK?

output.kafka:

  # Active
  enabled: true

  # The Kafka hosts
  hosts: ["<serverName>:9093"]

  # Topics
  topic: 'windowstest'

  # SSL
  # Kafka main certificate (ca)
  ssl.certificate_authorities: ["<path>/ca_cert.pem"]

  # Beat certificate that was certificated by kafka main certificate
  ssl.certificate: "<path>/beat_cert.pem"

  # Beat certificate Key
  ssl.key: "<path>/beat_cert.key"

  # Client Certificate Passphrase
  #ssl.key_passphrase: "passwd"

The configuration properties in my kafka server are the following ones:

File server.properties :

# Listeners with SSL
listeners=PLAINTEXT://<serverName>:9092,SSL://<serverName>:9093

# SSL
ssl.truststore.location=/etc/pki/tls/kafka.server.truststore.jks
ssl.truststore.password=passwd
ssl.keystore.location=/etc/pki/tls/kafka.server.keystore.jks
ssl.keystore.password=passwd
ssl.password=passwd

ssl.client.auth=required
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1

File consumer.properties :

# SSL
security.protocol=SSL
ssl.truststore.location=/etc/pki/tls/kafka.client.truststore.jks
ssl.truststore.password=passwd
ssl.keystore.location=/etc/pki/tls/kafka.client.keystore.jks
ssl.keystore.password=passwd
ssl.password=passwd

File producer.properties :

# SSL
security.protocol=SSL
ssl.truststore.location=/etc/pki/tls/kafka.client.truststore.jks
ssl.truststore.password=passwd
ssl.keystore.location=/etc/pki/tls/kafka.client.keystore.jks
ssl.keystore.password=passwd
ssl.password=passwd

If it helps, this is the response of my server (openssl s_client -debug -connect <serverName>:9093 -tls1):

New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: <id>
    Session-ID-ctx:
    Master-Key: <id>
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1615812929
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: yes

I have been trying different configurations, but no ones worked. Any idea how can I solve it?

Thanks

system · April 12, 2021, 12:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.