我看到zookeeper 3.5.5可以选择传入.PEM文件来设置TLS加密。我有使用openssl生成的服务器certificate.pem和privatekey.pem,并按如下所示设置zookeper配置
tickTime=2000
dataDir=/var/lib/zookeeper
clientPort=2181
initLimit=5
syncLimit=2
server.1=10.247.246.3:2888:3888
server.2=10.247.246.4:2888:3888
server.3=10.247.246.5:2888:3888
sslQuorum=true
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.quorum.keyStore.location=/tmp/zoo/apache-zookeeper-3.5.7-bin/bin/certs/test/certWithPrivateKey.pem
ssl.quorum.keyStore.password=********
ssl.quorum.trustStore.location=/path/to/ca/ca-cert.pem
ssl.quorum.trustStore.password=******
ssl.hostnameVerification=false
ssl.quorum.hostnameVerification=false
ssl.keyStore.type=PEM
ssl.quorum.keyStore.type=PEM
ssl.trustStore.type=PEM
ssl.quorum.trustStore.type=PEM
但是启动Zookeeper时出现此错误。
org.apache.zookeeper.common.X509Exception$SSLContextException: Failed to create KeyManager
at org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:350)
at org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:328)
at org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:282)
at org.apache.zookeeper.common.X509Util.getDefaultSSLContextAndOptions(X509Util.java:262)
at org.apache.zookeeper.common.X509Util.createSSLSocket(X509Util.java:517)
at org.apache.zookeeper.server.quorum.QuorumCnxManager.connectOne(QuorumCnxManager.java:672)
at org.apache.zookeeper.server.quorum.QuorumCnxManager.connectOne(QuorumCnxManager.java:748)
at org.apache.zookeeper.server.quorum.QuorumCnxManager.connectAll(QuorumCnxManager.java:776)
at org.apache.zookeeper.server.quorum.FastLeaderElection.lookForLeader(FastLeaderElection.java:958)
at org.apache.zookeeper.server.quorum.QuorumPeer.run(QuorumPeer.java:1425)
Caused by: org.apache.zookeeper.common.X509Exception$KeyManagerException: java.io.IOException: overrun, bytes = 111
at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:447)
at org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:348)
... 9 more
Caused by: java.io.IOException: overrun, bytes = 111
at java.base/javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
at org.apache.zookeeper.util.PemReader.loadPrivateKey(PemReader.java:154)
at org.apache.zookeeper.util.PemReader.loadPrivateKey(PemReader.java:142)
at org.apache.zookeeper.util.PemReader.loadKeyStore(PemReader.java:103)
at org.apache.zookeeper.common.PEMFileLoader.loadKeyStore(PEMFileLoader.java:50)
at org.apache.zookeeper.common.X509Util.loadKeyStore(X509Util.java:400)
at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:436)
注意:我检查了Zookeeper源代码PEMReader.java,因为该代码期望密钥和证书位于PEM文件中。我通过连接certificate.pem和privatekey.pem(cat certificate.pem privatekey.pem> certWithPrivate.pem)创建了certWithPrivate.pem。
任何想法?
我看到zookeeper 3.5.5可以选择传入.PEM文件来设置TLS加密。我有使用openssl生成的服务器certificate.pem和privatekey.pem,并按如下所示设置zookeper配置tickTime = ...
私有密钥未加密,删除了密码(ssl.quorum.keyStore.password和ssl.quorum.trustStore.password)起作用。