https://community.cloudera.com/t5/Support-Questions/Problem-configuring-SSL-secure-connection-in-Kafka-using/m-p/81304#M37459 <P>&nbsp;</P><P>Hi&nbsp; People</P><P>&nbsp;</P><P>I am trying to make a secure communication between a producer and a consumer in Kafka (1.0.1)</P><P>by enabling the SSL protocol, however after the generation of the certificates and configure</P><P>the server.properties file through the Cloudera Manager(Version 5.13.0 and S.O Centos 6), when</P><P>I made the connection test using the openssl s_client -debug -connect localhost:9093 -tls1</P><P>&nbsp;</P><P>I have the following error, someone can help me</P><P>&nbsp;</P><P>CONNECTED(00000003)</P><P>write to 0x1a9e670 [0x1ae9713] (155 bytes =&gt; 155 (0x9B))</P><P>0000 - 16 03 01 00 96 01 00 00-92 03 01 5b c6 7c 3d 62&nbsp; &nbsp;...........[.|=b</P><P>0010 - 53 b1 25 75 34 88 fd 60-7a 41 93 51 68 3a 63 d5&nbsp; &nbsp;S.%u4..`zA.Qh:c.</P><P>0020 - 57 14 37 6e 78 bd bc 38-e4 d7 ef 00 00 4c c0 14&nbsp; &nbsp;W.7nx..8.....L..</P><P>0030 - c0 0a 00 39 00 38 00 88-00 87 c0 0f c0 05 00 35&nbsp; &nbsp;...9.8.........5</P><P>0040 - 00 84 c0 13 c0 09 00 33-00 32 c0 12 c0 08 00 9a&nbsp; &nbsp;.......3.2......</P><P>0050 - 00 99 00 45 00 44 00 16-00 13 c0 0e c0 04 c0 0d&nbsp; &nbsp;...E.D..........</P><P>0060 - c0 03 00 2f 00 96 00 41-00 0a 00 07 c0 11 c0 07&nbsp; &nbsp;.../...A........</P><P>0070 - c0 0c c0 02 00 05 00 04-00 ff 01 00 00 1d 00 0b&nbsp; &nbsp;................</P><P>0080 - 00 04 03 00 01 02 00 0a-00 08 00 06 00 19 00 18&nbsp; &nbsp;................</P><P>0090 - 00 17 00 23 00 00 00 0f-00 01 01&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ...#.......</P><P>read from 0x1a9e670 [0x1ae51c3] (5 bytes =&gt; 5 (0x5))</P><P>0005 - &lt;SPACES/NULS&gt;</P><P>write to 0x1a9e670 [0x1aeebe0] (7 bytes =&gt; 7 (0x7))</P><P>0000 - 15 03 01 00 02 02 46&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ......F</P><P>140660245464904:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:</P><P>---</P><P>no peer certificate available</P><P>---</P><P>No client certificate CA names sent</P><P>---</P><P>SSL handshake has read 5 bytes and written 7 bytes</P><P>---</P><P>New, (NONE), Cipher is (NONE)</P><P>Secure Renegotiation IS NOT supported</P><P>Compression: NONE</P><P>Expansion: NONE</P><P>SSL-Session:</P><P>Protocol&nbsp; : TLSv1</P><P>Cipher&nbsp; &nbsp; : 0000</P><P>Session-ID:</P><P>Session-ID-ctx:</P><P>Master-Key:</P><P>Key-Arg&nbsp; &nbsp;: None</P><P>Krb5 Principal: None</P><P>PSK identity: None</P><P>PSK identity hint: None</P><P>Start Time: 1539734589</P><P>Timeout&nbsp; &nbsp;: 7200 (sec)</P><P>Verify return code: 0 (ok)</P><P>---</P><P>Additionally my logs says</P><P>&nbsp;</P><P>2018-10-11 12:38:16,510 WARN org.apache.kafka.common.network.SslTransportLayer: Failed to send SSL Close message</P><P>java.io.IOException: Connection reset by peer</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at<SPAN>&nbsp;</SPAN><A href="https://sun.nio.ch/" target="_blank" rel="noopener noreferrer">sun.nio.ch</A>.FileDispatcherImpl.write0(Native Method)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at<SPAN>&nbsp;</SPAN><A href="https://sun.nio.ch/" target="_blank" rel="noopener noreferrer">sun.nio.ch</A>.SocketDispatcher.write(SocketDispatcher.java:47)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at<SPAN>&nbsp;</SPAN><A href="https://sun.nio.ch/" target="_blank" rel="noopener noreferrer">sun.nio.ch</A>.IOUtil.writeFromNativeBuffer(IOUtil.java:93)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at<SPAN>&nbsp;</SPAN><A href="https://sun.nio.ch/" target="_blank" rel="noopener noreferrer">sun.nio.ch</A>.IOUtil.write(IOUtil.java:65)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at<SPAN>&nbsp;</SPAN><A href="https://sun.nio.ch/" target="_blank" rel="noopener noreferrer">sun.nio.ch</A>.SocketChannelImpl.write(SocketChannelImpl.java:487)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at org.apache.kafka.common.network.SslTransportLayer.flush(SslTransportLayer.java:212)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at org.apache.kafka.common.network.SslTransportLayer.close(SslTransportLayer.java:175)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at org.apache.kafka.common.utils.Utils.closeAll(Utils.java:703)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at org.apache.kafka.common.network.KafkaChannel.close(KafkaChannel.java:61)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at org.apache.kafka.common.network.Selector.doClose(Selector.java:739)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at org.apache.kafka.common.network.Selector.close(Selector.java:727)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:520)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at org.apache.kafka.common.network.Selector.poll(Selector.java:412)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at kafka.network.Processor.poll(SocketServer.scala:551)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at<SPAN>&nbsp;</SPAN><A href="https://kafka.network.processor.run/" target="_blank" rel="noopener noreferrer">kafka.network.Processor.run</A>(SocketServer.scala:468)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; at<SPAN>&nbsp;</SPAN><A href="https://java.lang.thread.run/" target="_blank" rel="noopener noreferrer">java.lang.Thread.run</A>(Thread.java:745)</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>PROCEDURE TO MAKE THE CERTIFICATES</P><P>&nbsp;</P><P>CERTIFICATION AUTHORITY</P><P>=======================</P><P>openssl req -new -newkey rsa:4096 -days 365 -x509 -subj "/CN=Kafka-Security-CA" -keyout ca-key -out ca-cert -nodes</P><P>openssl req -new -newkey rsa:4096 -days 365 -x509 -subj "/CN=Kafka-Security-CA" -keyout ca-key -out ca-cert -nodes</P><P>&nbsp;</P><P>CREATING SERVER CERTIFICATE</P><P>===========================</P><P>Using my hostname (quickstart.cloudera)</P><P>&nbsp;</P><P>keytool -genkey -keystore kafka.server.keystore.jks -validity 365 -storepass $SRVPASS -keypass $SRVPASS&nbsp; -dname "CN=quickstart.cloudera" -storetype pkcs12</P><P>&nbsp;</P><P>CREATE A CERTIFICATION REQUEST FILE</P><P>===================================</P><P>keytool -keystore kafka.server.keystore.jks -certreq -file cert-file -storepass $SRVPASS -keypass $SRVPASS</P><P>openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:$SRVPASS</P><P>&nbsp;</P><P>CHECK CERTIFICATES</P><P>===================</P><P>keytool -printcert -v -file cert-signed</P><P>keytool -list -v -keystore kafka.server.keystore.jks</P><P>&nbsp;</P><P>keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert -storepass $SRVPASS -keypass $SRVPASS -noprompt</P><P>&nbsp;</P><P>IMPORT CA AND THE SIGNED SERVER CERTIFICATE INTO KEYSTORE</P><P>=========================================================</P><P>keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file ca-cert -storepass $SRVPASS -keypass $SRVPASS -noprompt</P><P>keytool -keystore kafka.server.keystore.jks -import -file cert-signed -storepass $SRVPASS -keypass $SRVPASS -noprompt</P><P>&nbsp;</P><P>keytool -keystore kafka.client.keystore.jks -alias localhost -certreq -file cert-file</P><P>openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days $VALIDITY -CAcreateserial -passin pass:$PASSWORD</P><P>&nbsp;</P><P>keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file ca-cert</P><P>keytool -keystore kafka.client.keystore.jks -alias localhost -import -file cert-signed</P><P>&nbsp;</P><P>////////////////////////////</P><P>&nbsp;</P><P>KAFKA SERVER PROPERTIES</P><P>listeners=PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093</P><P>ssl.keystore.location=/var/private/ssl-new-5/kafka.server.keystore.jks</P><P>ssl.keystore.password=XXXXXX</P><P>ssl.key.password=XXXXXX</P><P>ssl.truststore.location=/var/private/ssl-new-5/kafka.server.truststore.jks</P><P>ssl.truststore.password=XXXXXXX</P><P>&nbsp;</P><P>offsets.topic.replication.factor=1</P><P>transaction.state.log.replication.factor=1</P><P>transaction.state.log.min.isr=1</P><P>&nbsp;</P><P>I appreciate any help to solve this problem</P> Fri, 16 Sep 2022 13:49:12 GMT JuanPa 2022-09-16T13:49:12Z