I am trying to authenticate with a Wpa_enterprise network via Wpa_supplicant using PEAP-MSCHAPv2 , the back-end radius server is running what I believe to be free-radius 3.0. I have tried numerous configuration files, the credentials are correct. I am unsure why I'm unable to connect. I will share my previous configuration file attempts as well the output. Please Note , the output information is not in the respective order of the configs, I am simply trying to provide as much information as possible. Additionally I have replaced the hash values with arbitrary values, as I am not familiar with the platforms guidelines
config 1
network={
ssid="lkpop1"
scan_ssid=1
key_mgmt=WPA-EAP
identity="user1"
password="password123!"
eap=PEAP
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
config 2
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
#country=US
network={
ssid="lkpop1"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="user1"
password=hash:8119935c5f7fa5f57135620c8073aaca
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
config 3
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
#country=US
network={
ssid="lkpop1"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="user1"
password="password123!"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
config 4
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
#country=US
network={
ssid="lkpop1"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="user1"
ca_cert="/etc/cert/ca.pem"
password="password123!"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
config 5
network={
ssid="lkpop1"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="user1"
password=hash:8119935c5f7fa5f57135620c8073aaca
ca_cert="/etc/cert/ca.pem"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
output 1
WPA_SUPPLICANT output
wpa_supplicant -i wl0 -Dnl80211 -c wpa_supplicant.conf
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
rfkill: Cannot get wiphy information
wl0: SME: Trying to authenticate with 00:11:00:be:02:09 (SSID='lkpop1' freq=2452 MHz)
wl0: Trying to associate with 00:11:00:be:02:09 (SSID='lkpop1' freq=2452 MHz)
wl0: Associated with 00:11:00:be:02:09
wl0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wl0: CTRL-EVENT-EAP-STARTED EAP authentication started
wl0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wl0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wl0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=GB/ST=lk/L=hs/O=pk/emailAddress=ca#lkpop1.localdomain/CN=ak Certificate Authority' hash=6d7acb97ebc3d10f265bc9e0cb79ce2f915eb1d78fc9bb9318ca74a30ce67856
wl0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=GB/ST=lk/L=hs/O=pk/emailAddress=ca#lkpop1.localdomain/CN=ak Certificate Authority' hash=6d7acb97ebc3d10f265bc9e0cb79ce2f915eb1d78fc9bb9318ca74a30ce67856
wl0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=GB/ST=lk/O=pk/CN=ak Wi-Fi Radius/emailAddress=wifi-admin#lkpop1.localdomain' hash=6d7acb97ebc3d10f265bc9e0cb79ce2f915eb1d78fc9bb9318ca74a30ce67856
wl0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wl0: CTRL-EVENT-DISCONNECTED bssid=00:11:00:be:02:09 reason=23
wl0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="lkpop1" auth_failures=1 duration=10 reason=AUTH_FAILED
nl80211: Failed to open /proc/sys/net/ipv4/conf/wl0/drop_unicast_in_l2_multicast: Read-only file system
nl80211: Failed to set IPv4 unicast in multicast filter
^Cnl80211: deinit ifname=p2p-dev-wl0 disabled_11b_rates=0
p2p-dev-wl0: CTRL-EVENT-TERMINATING
nl80211: Failed to open /proc/sys/net/ipv4/conf/wl0/drop_unicast_in_l2_multicast: Read-only file system
nl80211: Failed to set IPv4 unicast in multicast filter
nl80211: Failed to open /proc/sys/net/ipv4/conf/wl0/drop_unicast_in_l2_multicast: Read-only file system
nl80211: Failed to set IPv4 unicast in multicast filter
nl80211: deinit ifname=wl0 direspectivelysabled_11b_rates=0
wl0: CTRL-EVENT-TERMINATING
output 2
wpa_supplicant -Dnl80211 -i wl1 -c wpa_supplicant.conf
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
rfkill: Cannot get wiphy information
nl80211: Could not set interface 'p2p-dev-wl1' UP
nl80211: deinit ifname=p2p-dev-wl1 disabled_11b_rates=0
p2p-dev-wl1: Failed to initialize driver interface
P2P: Failed to enable P2P Device interface
wl1: SME: Trying to authenticate with 00:11:00:be:02:09 (SSID='lkpop1 ' freq=2452 MHz)
wl1: Trying to associate with 00:11:00:be:02:09 (SSID='lkpop1 ' freq=2452 MHz)
wl1: Associated with 00:11:00:be:02:09
wl1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wl1: CTRL-EVENT-EAP-STARTED EAP authentication started
wl1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wl1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wl1: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=GB/ST=lk/L=hs/O=pk/emailAddress=ca#pk.localdomain/CN=pk Certificate Authority' hash=9a1a24894acb1f183e9b290583b9ac48ce94ede298f897197b9c94b9db8eb255
wl1: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=GB/ST=lk/L=hs/O=pk/emailAddress=ca#pk.localdomain/CN=pk Certificate Authority' hash=9a1a24894acb1f183e9b290583b9ac48ce94ede298f897197b9c94b9db8eb255
wl1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=GB/ST=lk/O=pk/CN=pk Wi-Fi Radius/emailAddress=wifi-admin#pk.localdomain' hash=9a1a24894acb1f183e9b290583b9ac48ce94ede298f897197b9c94b9db8eb255
wl1: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wl1: CTRL-EVENT-DISCONNECTED bssid=00:11:00:be:02:09 reason=23
wl1: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="lkpop1 " auth_failures=1 duration=10 reason=AUTH_FAILED
nl80211: Failed to open /proc/sys/net/ipv4/conf/wl1/drop_unicast_in_l2_multicast: Read-only file system
nl80211: Failed to set IPv4 unicast in multicast filter
^Cnl80211: Failed to open /proc/sys/net/ipv4/conf/wl1/drop_unicast_in_l2_multicast: Read-only file system
nl80211: Failed to set IPv4 unicast in multicast filter
nl80211: Failed to open /proc/sys/net/ipv4/conf/wl1/drop_unicast_in_l2_multicast: Read-only file system
nl80211: Failed to set IPv4 unicast in multicast filter
nl80211: deinit ifname=wl1 disabled_11b_rates=0
wl1: CTRL-EVENT-TERMINATING
output 3
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
rfkill: Cannot get wiphy information
nl80211: Could not set interface 'p2p-dev-wl1' UP
nl80211: deinit ifname=p2p-dev-wl1 disabled_11b_rates=0
p2p-dev-wl1: Failed to initialize driver interface
P2P: Failed to enable P2P Device interface
wl1: SME: Trying to authenticate with 00:11:00:be:02:09 (SSID='lkpop1 ' freq=2452 MHz)
wl1: Trying to associate with 00:11:00:be:02:09 (SSID='lkpop1 ' freq=2452 MHz)
wl1: Associated with 00:11:00:be:02:09
wl1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wl1: CTRL-EVENT-EAP-STARTED EAP authentication started
wl1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wl1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wl1: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=GB/ST=lk/L=hs/O=pk/emailAddress=ca#pk.localdomain/CN=pk Certificate Authority' hash=9a1a24894acb1f183e9b290583b9ac48ce94ede298f897197b9c94b9db8eb255
wl1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=GB/ST=lk/O=pk/CN=pk Wi-Fi Radius/emailAddress=wifi-admin#pk.localdomain' hash=9a1a24894acb1f183e9b290583b9ac48ce94ede298f897197b9c94b9db8eb255
TLS: Certificate verification failed, error 7 (certificate signature failure) depth 0 for '/C=GB/ST=lk/O=pk/CN=pk Wi-Fi Radius/emailAddress=wifi-admin#pk.localdomain'
wl1: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=0 depth=0 subject='/C=GB/ST=lk/O=pk/CN=pk Wi-Fi Radius/emailAddress=wifi-admin#pk.localdomain' err='certificate signature failure'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error
OpenSSL: openssl_handshake - SSL_connect error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding
OpenSSL: pending error: error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed
OpenSSL: pending error: error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
OpenSSL: pending error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
wl1: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wl1: CTRL-EVENT-DISCONNECTED bssid=00:11:00:be:02:09 reason=23
wl1: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="lkpop1 " auth_failures=1 duration=10 reason=AUTH_FAILED
nl80211: Failed to open /proc/sys/net/ipv4/conf/wl1/drop_unicast_in_l2_multicast: Read-only file system
nl80211: Failed to set IPv4 unicast in multicast filter
^Cnl80211: Failed to open /proc/sys/net/ipv4/conf/wl1/drop_unicast_in_l2_multicast: Read-only file system
nl80211: Failed to set IPv4 unicast in multicast filter
nl80211: Failed to open /proc/sys/net/ipv4/conf/wl1/drop_unicast_in_l2_multicast: Read-only file system
nl80211: Failed to set IPv4 unicast in multicast filter
nl80211: deinit ifname=wl1 disabled_11b_rates=0
wl1: CTRL-EVENT-TERMINATING
Related
I'm new to FreeRadius and Google secure LDAP but I'm trying to set it up so we can use it via zonedirector for byod wifi authentication.
I've followed guides from Google and from within config files that came with freeRADIUS and I think I'm close but when I try to start my server I get the following error:
rlm_ldap (ldap_google): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap_google): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap_google): Failed setting connection option new TLS context: Unknown error
rlm_ldap (ldap_google): Opening connection failed (0)
rlm_ldap (ldap_google): Removing connection pool
/etc/freeradius/3.0/mods-enabled/ldap_goolge[59]: Instantation failed for module "ldap_google"
I haven't been able to find any info on this error so any pointers would be appreciated.
Trying to connect to an Azure SFTP results in a "connection reset" - same when using the "list" operation in a mule application as well as simply using the "test connection" button in the connector.
Credentials are fine and server is perfectly accessible with different FTP Clients.
Maybe you have an idea or can make more then I from the DEBUG log:
DEBUG org.mule.extension.sftp.internal.connection.SftpConnectionProvider: Connecting to host: 'xyz.blob.core.windows.net' at port: '22'
DEBUG com.jcraft.jsch: Connecting to xyz.blob.core.windows.net port 22
DEBUG com.jcraft.jsch: Connection established
DEBUG com.jcraft.jsch: Remote version string: SSH-2.0-AzureSSH_1.0.0
DEBUG com.jcraft.jsch: Local version string: SSH-2.0-JSCH-0.1.54
DEBUG com.jcraft.jsch: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
DEBUG com.jcraft.jsch: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
DEBUG com.jcraft.jsch: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
DEBUG com.jcraft.jsch: SSH_MSG_KEXINIT sent
DEBUG com.jcraft.jsch: Disconnecting from xyz.blob.core.windows.net port 22
ERROR org.mule.extension.sftp.internal.connection.SftpConnectionProvider: Session.connect: java.net.SocketException: Connection reset
com.jcraft.jsch.JSchException: Session.connect: java.net.SocketException: Connection reset
The issue can happen if the preferred authentication method is missing in the SFTP configuration with the identity file specified, and the target SFTP server is only enabled for SSH key based authentication
<sftp:connection host="${sftp.host}" port="${sftp.port}" username="${sftp.username}" passphrase="${sftp.passphrase}" preferredAuthenticationMethods="#[['PUBLIC_KEY']]" identityFile="${sftp.identityfile}" connectionTimeout="${sftp.connectionTimeout}" responseTimeout="${ftp.responseTimeout}">
</sftp:connection>
There is a known issue with connection to Azure SFTP using JSCH. See this post.
I am running a HLF on kubernetes - (3 raft orderers & 2 peers)
Now as raft requires Mutual TLS I had to setup some certificates.
The 3 raft orderers are able to communicate with eachother, as they are electing a leader, and re-electing another leader when I bring that leader down.
When I setup the peer, I used the same CA to generate the certificates. I am able to create the channel & join it from the peer. However I have to run CORE_PEER_MSPCONFIGPATH=$ADMIN_MSP_PATH prior to those commands, otherwise I get Access Denied error.
I am also forced to append the following flags to every peer channel x command I run.
--tls --cafile $ORD_TLS_PATH/cacert.pem --certfile $CORE_PEER_TLS_CLIENTCERT_FILE --keyfile $CORE_PEER_TLS_CLIENTKEY_FILE --clientauth
I am able to create, fetch, join the channel using the admin msp.
Now once the channel is joined, the peer is unable to connect with the orderer, somehow a bad certificate is given.
Orderer Logs
A bad certificate is used ?
2019-08-15 16:07:55.699 UTC [core.comm] ServerHandshake -> ERRO 221 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=10.130.2.148:53922
2019-08-15 16:07:55.699 UTC [grpc] handleRawConn -> DEBU 222 grpc: Server.Serve failed to complete security handshake from "10.130.2.148:53922": remote error: tls: bad certificate
Peer Logs
These suggest that it could not validate it with the ca.crt ?
2019-08-15 16:10:17.990 UTC [grpc] DialContext -> DEBU 03a parsed scheme: ""
2019-08-15 16:10:17.990 UTC [grpc] DialContext -> DEBU 03b scheme "" not registered, fallback to default scheme
2019-08-15 16:10:17.991 UTC [grpc] watcher -> DEBU 03c ccResolverWrapper: sending new addresses to cc: [{orderer-2.hlf-orderers.svc.cluster.local:7050 0 <nil>}]
2019-08-15 16:10:17.991 UTC [grpc] switchBalancer -> DEBU 03d ClientConn switching balancer to "pick_first"
2019-08-15 16:10:17.991 UTC [grpc] HandleSubConnStateChange -> DEBU 03e pickfirstBalancer: HandleSubConnStateChange: 0xc00260b710, CONNECTING
2019-08-15 16:10:18.009 UTC [grpc] createTransport -> DEBU 03f grpc: addrConn.createTransport failed to connect to {orderer-2.hlf-orderers.svc.cluster.local:7050 0 <nil>}. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority". Reconnecting...
2019-08-15 16:10:18.012 UTC [grpc] HandleSubConnStateChange -> DEBU 040 pickfirstBalancer: HandleSubConnStateChange: 0xc00260b710, TRANSIENT_FAILURE
2019-08-15 16:10:18.991 UTC [grpc] HandleSubConnStateChange -> DEBU 041 pickfirstBalancer: HandleSubConnStateChange: 0xc00260b710, CONNECTING
2019-08-15 16:10:19.003 UTC [grpc] createTransport -> DEBU 042 grpc: addrConn.createTransport failed to connect to {orderer-2.hlf-orderers.svc.cluster.local:7050 0 <nil>}. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority". Reconnecting...
2019-08-15 16:10:19.003 UTC [grpc] HandleSubConnStateChange -> DEBU 043 pickfirstBalancer: HandleSubConnStateChange: 0xc00260b710, TRANSIENT_FAILURE
2019-08-15 16:10:20.719 UTC [grpc] HandleSubConnStateChange -> DEBU 044 pickfirstBalancer: HandleSubConnStateChange: 0xc00260b710, CONNECTING
2019-08-15 16:10:20.731 UTC [grpc] createTransport -> DEBU 045 grpc: addrConn.createTransport failed to connect to {orderer-2.hlf-orderers.svc.cluster.local:7050 0 <nil>}. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority". Reconnecting...
2019-08-15 16:10:20.733 UTC [grpc] HandleSubConnStateChange -> DEBU 046 pickfirstBalancer: HandleSubConnStateChange: 0xc00260b710, TRANSIENT_FAILURE
2019-08-15 16:10:20.990 UTC [ConnProducer] NewConnection -> ERRO 047 Failed connecting to {orderer-2.hlf-orderers.svc.cluster.local:7050 [OrdererMSP]} , error: context deadline exceeded
I generated the used certificates as follows:
Orderer Admin
fabric-ca-client enroll -u https://u:p#ca.example.com -M ./OrdererMSP
Orderer Node X
As I use the same certificates for TLS I added the used hosts here for TLS purposes
orderer-x.hlf-orderers.svc.cluster.local #kubernetes
orderer-x.hlf-orderers #kubernetes
orderer-x #kubernetes
localhost #local debug
fabric-ca-client enroll -m orderer-x \
-u https://ox:px#ca.example.com \
--csr.hosts orderer-x.hlf-orderers.svc.cluster.local,orderer-x.hlf-orderers,orderer-x,localhost \
-M orderer-x-MSP
Peer Admin
fabric-ca-client enroll -u https://u:p#ca.example.com -M ./PeerMSP
Peer Node X
fabric-ca-client enroll -m peer-x \
-u https://ox:px#ca.example.com \
--csr.hosts peer-x.hlf-peers.svc.cluster.local,peer-x.hlf-peers,peer-x,localhost \
-M peer-x-MSP
Now all of these, have the same ca.crt (/cacerts/ca.example.com.pem)
configtx.yaml
Orderer:
<<: *OrdererDefaults
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: orderer-1.hlf-orderers.svc.cluster.local
Port: 7050
ClientTLSCert: orderer-1-MSP/signcerts/cert.pem
ServerTLSCert: orderer-1-MSP/signcerts/cert.pem
- Host: orderer-2.hlf-orderers.svc.cluster.local
Port: 7050
ClientTLSCert: orderer-2-MSP/signcerts/cert.pem
ServerTLSCert: orderer-2-MSP/signcerts/cert.pem
- Host: orderer-3.hlf-orderers.svc.cluster.local
Port: 7050
ClientTLSCert: orderer-3-MSP/signcerts/cert.pem
ServerTLSCert: orderer-3-MSP/signcerts/cert.pem
Addresses:
- orderer-1.hlf-orderers.svc.cluster.local:7050
- orderer-2.hlf-orderers.svc.cluster.local:7050
- orderer-3.hlf-orderers.svc.cluster.local:7050
I have checked multiple times if the correct certificates are mounted on the correct places and configured.
On the peer side I made sure that:
CORE_PEER_TLS_CLIENTROOTCAS_FILES is set correctly and that the (correct) file gets mounted (CORE_PEER_TLS_CLIENTROOTCAS_FILES: "/var/hyperledger/tls/client/cert/ca.crt")
Idem for CORE_PEER_TLS_CLIENTKEY_FILE & CORE_PEER_TLS_CLIENTCERT_FILE
CORE_PEER_TLS_CLIENTAUTHREQUIRED is set to true
On the orderer side I made sure that:
ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED is set to true
ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE is set correctly
ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY is set correctly
ORDERER_GENERAL_TLS_CLIENTROOTCAS is set correctly
It seems strange to me that the orderers are able to talk to eachother (as they are electing leaders), but that the peer is not able to do so
So it appears to be, that the tlscacerts should be in the msp(s) directory(ies) PRIOR to creating genesis / channel block. Simply mounting them in the pod at runtime is not enough
My msp directories (used in configtx.yaml) look like:
admincerts
tlscacerts
cacerts
...
After this it all started to work
seems like you have got below error
E0923 16:30:14.963567129 31166 ssl_transport_security.cc:989] Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate.
E0923 16:30:15.964456710 31166 ssl_transport_security.cc:188] ssl_info_callback: error occured.
According to your details, All seems to be correct
However check below
certificate signed by unknown authority -> This makes me bit doubt on your certificate mapping
MAKE SURE
PEER:
CORE_PEER_TLS_ENABLED=true
CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/tls/server.crt
CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/tls/server.key
CORE_PEER_TLS_ROOTCERT_FILE=/data/maersksea-rca-maersksea-chain.pem
CORE_PEER_TLS_CLIENTCERT_FILE=/data/tls/maersksea-peer-maersksea-client.crt
CORE_PEER_TLS_CLIENTKEY_FILE=/data/tls/maersksea-peer-maersksea-client.key
CORE_PEER_TLS_CLIENTAUTHREQUIRED=true
CORE_PEER_TLS_CLIENTROOTCAS_FILES=/data/maersksea-rca-maersksea-chain.pem
Orderer:
ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=true
ORDERER_GENERAL_TLS_CLIENTROOTCAS=[/data/maersksea-rca-maersksea-chain.pem]
I am trying to setup inter-broker SSL (not client) authentication and keep seeing the following errors:
[2019-05-17 06:33:47,151] INFO [Controller id=1004, targetBrokerId=1004] Failed authentication with /$IP (SSL handshake failed) (org.apache.kafka.common.network.Selector)
[2019-05-17 06:33:47,151] INFO [SocketServer brokerId=1004] Failed authentication with /$IP (SSL handshake failed) (org.apache.kafka.common.network.Selector)
[2019-05-17 06:33:47,151] ERROR [Controller id=1004, targetBrokerId=1004] Connection to node 1004 (/$IP:9093) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
My server.properties is:
listeners=PLAINTEXT://$IP:9092,SSL://$IP:9093
security.inter.broker.protocol=SSL
ssl.truststore.password=$PASS
ssl.keystore.password=$PASS
ssl.key.password=$PASS
ssl.endpoint.identification.algorithm=""
ssl.keystore.location=/etc/kafka/kafka.server.keystore.jks
ssl.truststore.location=/etc/kafka/kafka.server.truststore.jks
``
When I run `openssl s_client -debug -connect $IP:9093 -tls1` I get back a list of certificates and `Secure Renegotiation IS supported`
Despite adding `-Djavax.net.debug=all` there's not anything in the logs which points to the problem.
Kafka version 2.2
Any ideas?
I had incorrectly set the value of ssl.endpoint.identification.algorithm="" instead of ssl.endpoint.identification.algorithm", this fixed it.
This value was changed in 2.2 to default to https so setting it to nothing worked.
I am trying to run in jboss instance in domain mode. While I do that I am getting the following issue......
[Host Controller] 12:45:56,535 WARN [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010900: Could not connect to remote domain controller at remote://nnn.nn.nn.88:9999 -- java.net.ConnectException: JBAS012144: Could not connect to remote://nnn.nn.nn.88:9999. The connection timed out
I had ran two JBoss instance in domain mode after configuring...
First JBoss instance->
./domain.sh -b nnn.nn.nn.88 -Djboss.bind.address.management=nnn.nn.nn.88
Second JBoss Instance ->
./domain.sh -b nnn.nn.nn.89 -Djboss.domain.master.address=nnn.nn.nn.88 --host-config=host-slave.xml
nnn.nn.nn.88 host.xml configuration is as follows...
<domain-controller>
<local/>
</domain-controller>
nnn.nn.nn.89 host-slave.xml configuration is as follows...
<domain-controller>
<remote host="${jboss.domain.master.address}" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm"/>
<domain-controller>
I am able to telnet to port 9999 on host nnn.nn.nn.88 from 89..... as I configured by removing loopback ip for public & management port...... Although is it the implication that <domain-controller> has <local/>....
Please help me to solve this issue... JDK version is JDK 7 Update 80.... EAP 6.3....
In HC host.xml and if we use --host-config=host-slave.xml that particular xml has to connected with DC under <domain-controller> node....
jboss.domain.master.address should be Domain Controller address nnn.nn.nn.88....
<domain-controller>
<remote host="${jboss.domain.master.address:nnn.nn.nn.88}" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm"/>
<domain-controller>
As per the solution article from redhat....
https://access.redhat.com/solutions/218053#
I ran following command for the same configuration which I had while posting this question..... And I got succeeded.....
DC->
./domain.sh -b my-host-ip1 -bmanagement my-host-ip1
HC->
./domain.sh -Djboss.domain.master.address=my-host-ip1 -b my-host-ip2 -bmanagement my-host-ip2
Although is this way of configuring gives clustering capability to DC and HCs..... I had raised same question to Redhat on the same solution article..... The answer must be yes I hope....
https://access.redhat.com/solutions/218053#comment-975683