zookeeper two-way ssl authentication error Received fatal alert: bad_certificate #4289

lanzhiwang · 2021-01-20T10:29:31Z

lanzhiwang
Jan 20, 2021

I try to make Kafka connect to the external zookeeper, I first need to do ssl mutual authentication for zookeeper。

Something like this

zookeeper <------ssl security------> broker, zookeeper-shell.sh

My initial configuration process is as follows：

zookeeper server security

$ openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
$ keytool -keystore kafka.zookeeper.truststore.jks -alias ca-cert -import -file ca-cert
$ keytool -keystore kafka.zookeeper.keystore.jks -alias zookeeper -validity 3650 -genkey -keyalg RSA -ext SAN=dns:localhost
$ keytool -keystore kafka.zookeeper.keystore.jks -alias zookeeper -certreq -file ca-request-zookeeper
$ openssl x509 -req -CA ca-cert -CAkey ca-key -in ca-request-zookeeper -out ca-signed-zookeeper -days 3650 -CAcreateserial
$ keytool -keystore kafka.zookeeper.keystore.jks -alias ca-cert -import -file ca-cert
$ keytool -keystore kafka.zookeeper.keystore.jks -alias zookeeper -import -file ca-signed-zookeeper

$ vim zookeeper.properties

authProvider.x509=org.apache.zookeeper.server.auth.X509AuthenticationProvider
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.trustStore.location=./ssl/kafka.zookeeper.truststore.jks
ssl.trustStore.password=***
ssl.keyStore.location=./ssl/kafka.zookeeper.keystore.jks
ssl.keyStore.password=***
ssl.clientAuth=need

zookeeper client security

$ keytool -keystore kafka.zookeeper-client.truststore.jks -alias ca-cert -import -file ca-cert
$ keytool -keystore kafka.zookeeper-client.keystore.jks -alias zookeeper-client -validity 3650 -genkey -keyalg RSA -ext SAN=dns:localhost
$ keytool -keystore kafka.zookeeper-client.keystore.jks -alias zookeeper-client -certreq -file ca-request-zookeeper-client
$ openssl x509 -req -CA ca-cert -CAkey ca-key -in ca-request-zookeeper-client -out ca-signed-zookeeper-client -days 3650 -CAcreateserial
$ keytool -keystore kafka.zookeeper-client.keystore.jks -alias ca-cert -import -file ca-cert
$ keytool -keystore kafka.zookeeper-client.keystore.jks -alias zookeeper-client -import -file ca-signed-zookeeper-client

$ vim zookeeper-client.properties

zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
zookeeper.ssl.client.enable=true
zookeeper.ssl.protocol=TLSv1.2
zookeeper.ssl.trustStore.location=./ssl/kafka.zookeeper-client.truststore.jks
zookeeper.ssl.trustStore.password=***
zookeeper.ssl.keyStore.location=./ssl/kafka.zookeeper-client.keystore.jks
zookeeper.ssl.keyStore.password=huzhi567233

I tested and found some errors in the certificate

huzhideMacBook-Pro:kafka_2.12-2.5.0 huzhi$ ./bin/zookeeper-shell.sh localhost:2182 -zk-tls-config-file ./config/zookeeper-client.properties
Connecting to localhost:2182
Welcome to ZooKeeper!
JLine support is disabled
[2021-01-20 17:47:34,924] WARN zookeeper.ssl.keyStore.location not specified (org.apache.zookeeper.common.X509Util)
[2021-01-20 17:47:34,924] WARN zookeeper.ssl.trustStore.location not specified (org.apache.zookeeper.common.X509Util)
[2021-01-20 17:47:35,327] WARN Exception caught (org.apache.zookeeper.ClientCnxnSocketNetty)
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
	at sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at sun.security.ssl.Alert.createSSLException(Alert.java:117)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
	at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
	at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
	at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:575)
	at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:531)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:398)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:377)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626)
	at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281)
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1324)
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1219)
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1266)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
	... 17 more



$ openssl s_client -connect localhost:2182 -CAfile ../ssl/ca-cert -key ../ssl/ca-key
Enter pass phrase for ../ssl/ca-key:
CONNECTED(00000005)
depth=1 C = CN, ST = Beijin, L = Beijin, O = Data Engineering Minds, OU = Data Engineering, CN = kafka-zookeeper-ca-cert, emailAddress = [email protected]
verify return:1
depth=0 C = CN, ST = Beijin, L = Beijin, O = Data Engineering Minds, OU = Data Engineering, CN = localhost
verify return:1
4623355564:error:1401E412:SSL routines:CONNECT_CR_FINISHED:sslv3 alert bad certificate:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 42
4623355564:error:1401E0E5:SSL routines:CONNECT_CR_FINISHED:ssl handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/ssl/ssl_pkt.c:585:
---
Certificate chain
 0 s:/C=CN/ST=Beijin/L=Beijin/O=Data Engineering Minds/OU=Data Engineering/CN=localhost
   i:/C=CN/ST=Beijin/L=Beijin/O=Data Engineering Minds/OU=Data Engineering/CN=kafka-zookeeper-ca-cert/[email protected]
 1 s:/C=CN/ST=Beijin/L=Beijin/O=Data Engineering Minds/OU=Data Engineering/CN=kafka-zookeeper-ca-cert/[email protected]
   i:/C=CN/ST=Beijin/L=Beijin/O=Data Engineering Minds/OU=Data Engineering/CN=kafka-zookeeper-ca-cert/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDqjCCApICCQCaN2sFENopgTANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMC
REUxDzANBgNVBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVybGluMR8wHQYDVQQKDBZE
YXRhIEVuZ2luZWVyaW5nIE1pbmRzMRkwFwYDVQQLDBBEYXRhIEVuZ2luZWVyaW5n
MSAwHgYDVQQDDBdrYWZrYS16b29rZWVwZXItY2EtY2VydDEfMB0GCSqGSIb3DQEJ
ARYQaHpoaWxhbXBAMTYzLmNvbTAeFw0yMTAxMTUxMjA3MzFaFw0zMTAxMTMxMjA3
MzFaMH8xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
cmxpbjEfMB0GA1UEChMWRGF0YSBFbmdpbmVlcmluZyBNaW5kczEZMBcGA1UECxMQ
RGF0YSBFbmdpbmVlcmluZzESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnyRIS3jeYs/waY9O9jdgyMmBfQgRRYIohpBd
PFTxZgaUxdIvIQWKae4llEuCpfNAb/RhwFmrBYZi7VM8lD9aW9RS2wUmrpbtxTpY
RvQIGZS9h3hXpWbM4ImG39E9OwtERSxAPRB1IS5nFWNzBaXJcAW0CpiQn/SInxZq
32ICAQpwLJSjO9wX2zYym/XEBWRzFX/Nquy/XG8rGv+qIiTevcP4lTw8967ErJlX
DrxgP5ko2wjtXLqe9FiA/AqX9+0g3iKo7D/OryNbLO2GjzMG+bLf9G1jNwwgIRKe
aPTjgi5ePSz1Tohgd7TCmqIcFcpE76kfKDMhKQwqBbzBZnRwXQIDAQABMA0GCSqG
SIb3DQEBBQUAA4IBAQBITu4l7FobyElH47D8W/T3VCxrAhG1clUXfTR4ymKdfqvD
/7XIlaBIK452CCTgauQv01bszZh0xB/hwuruqiBvELTPeQz/OZhk6VsUCjiuZg3F
AkE8zUGv16QeGzeyDAxLHwtIkrn1EthHjNjQMQ0hRuz9VPfGSe12ZCAE0kECEOEL
5zxk6pPyvBfZdmIOd+11XgECywnpFVuB+fKyKGD9Fq0E5tYsjGXUsLXZw6q9iFug
fWqfoqnC5CqMW6p7nnCQKvu7Okrh5ZkKdM0BZXzSRROwjWSrJ215LGEBsriUw3dZ
/P0KH0/aM4ubAbjuyCs4UX1B+718CgHx8A1SEdkU
-----END CERTIFICATE-----
subject=/C=CN/ST=Beijin/L=Beijin/O=Data Engineering Minds/OU=Data Engineering/CN=localhost
issuer=/C=CN/ST=Beijin/L=Beijin/O=Data Engineering Minds/OU=Data Engineering/CN=kafka-zookeeper-ca-cert/[email protected]
---
Acceptable client certificate CA names
/C=CN/ST=Beijin/L=Beijin/O=Data Engineering Minds/OU=Data Engineering/CN=kafka-zookeeper-ca-cert/[email protected]
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2604 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 46CAD2DDE83388FB7EBFD48013701F4D658E8101C31FE050D245281E16BFAE75
    Session-ID-ctx:
    Master-Key: F74E43B2B60107569CCAF440E72BE6E00C38116EFDB32D849542BBE44607B595BAEFCA68C35A1C74A2AD660891912741
    Start Time: 1610717761
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
$

scholzj · 2021-01-20T10:40:05Z

scholzj
Jan 20, 2021
Maintainer

Strimzi does not support connecting to external Zookeeper. So I'm not sure what exactly are you trying to achieve.

In general, bad_certificate normally means that your client certificate (keystore in the client) does not match the CA in the truststore. So you should double check if they really match. If you run the Zookeeper shell is written in Java. So if you pass it a Java system property -Djavax.net.debug=ssl you should get a lot more detailed description of the TLS hanshake which might show what the problem is.

0 replies

lanzhiwang · 2021-01-21T11:04:34Z

lanzhiwang
Jan 21, 2021
Author

The following is the log of the ssl handshake process, please help to see what may be the problem.

client.log

Connecting to 127.0.0.1:2182
Welcome to ZooKeeper!
JLine support is disabled
[2021-01-21 18:16:22,212] WARN zookeeper.ssl.keyStore.location not specified (org.apache.zookeeper.common.X509Util)
[2021-01-21 18:16:22,212] WARN zookeeper.ssl.trustStore.location not specified (org.apache.zookeeper.common.X509Util)
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.260 CST|Logger.java:765|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.351 CST|Logger.java:765|Unable to indicate server name
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.351 CST|Logger.java:765|Ignore, context unavailable extension: server_name
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.351 CST|Logger.java:765|Ignore, context unavailable extension: status_request
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.354 CST|Logger.java:765|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.354 CST|Logger.java:765|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|INFO|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.357 CST|Logger.java:765|No available application protocols
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.357 CST|Logger.java:765|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.357 CST|Logger.java:765|Ignore, context unavailable extension: status_request_v2
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.358 CST|Logger.java:765|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.360 CST|Logger.java:765|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "C5 14 D8 F4 7A E4 7C 6D 6F 2D 0D 98 A7 8B 83 F7 B9 1C 7B DC 80 49 AE 1E 2E 47 B2 3E 4E 11 CD 14",
  "session id"          : "",
  "cipher suites"       : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "supported_groups (10)": {
      "versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.2, TLSv1.1, TLSv1]
    }
  ]
}
)
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.567 CST|Logger.java:765|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "E2 CE 78 AF 6A 30 38 D4 22 9E 6D A3 A4 68 BA 5D E4 00 1F B7 71 EA 6E F8 56 EC 7C FC C2 B7 C5 AB",
  "session id"          : "11 A9 8D 56 C8 00 D7 D1 FE 1E FF 63 85 F4 5D D7 D7 95 2D 14 8A FC 44 92 71 3A 88 9F 2A 3A 26 F8",
  "cipher suite"        : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",
  "compression methods" : "00",
  "extensions"          : [
    "extended_master_secret (23)": {
      <empty>
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}
)
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.567 CST|Logger.java:765|Ignore unavailable extension: supported_versions
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.567 CST|Logger.java:765|Negotiated protocol version: TLSv1.2
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.567 CST|Logger.java:765|Consumed extension: renegotiation_info
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.567 CST|Logger.java:765|Ignore unavailable extension: server_name
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.567 CST|Logger.java:765|Ignore unavailable extension: max_fragment_length
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.568 CST|Logger.java:765|Ignore unavailable extension: status_request
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.568 CST|Logger.java:765|Ignore unavailable extension: ec_point_formats
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.568 CST|Logger.java:765|Ignore unavailable extension: status_request_v2
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.568 CST|Logger.java:765|Consumed extension: extended_master_secret
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.568 CST|Logger.java:765|Consumed extension: renegotiation_info
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.568 CST|Logger.java:765|Ignore unavailable extension: server_name
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.568 CST|Logger.java:765|Ignore unavailable extension: max_fragment_length
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.568 CST|Logger.java:765|Ignore unavailable extension: status_request
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.568 CST|Logger.java:765|Ignore unavailable extension: ec_point_formats
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.569 CST|Logger.java:765|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.569 CST|Logger.java:765|Ignore unavailable extension: status_request_v2
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.569 CST|Logger.java:765|Ignore impact of unsupported extension: extended_master_secret
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.569 CST|Logger.java:765|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.571 CST|Logger.java:765|Consuming server Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v1",
    "serial number"      : "00 C0 74 9E 08 59 A6 D3 A3",
    "signature algorithm": "SHA1withRSA",
    "issuer"             : "[email protected], CN=ca-cert, OU=Data Engineering, O=Data Engineering Minds, L=beijing, ST=beijing, C=CN",
    "not before"         : "2021-01-21 11:13:48.000 CST",
    "not  after"         : "2031-01-19 11:13:48.000 CST",
    "subject"            : "CN=localhost, OU=Data Engineering, O=Data Engineering Minds, L=beijing, ST=beijing, C=CN",
    "subject public key" : "RSA"},
  "certificate" : {
    "version"            : "v1",
    "serial number"      : "00 B2 57 F5 2F 07 E2 6A 41",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "[email protected], CN=ca-cert, OU=Data Engineering, O=Data Engineering Minds, L=beijing, ST=beijing, C=CN",
    "not before"         : "2021-01-21 11:01:15.000 CST",
    "not  after"         : "2031-01-19 11:01:15.000 CST",
    "subject"            : "[email protected], CN=ca-cert, OU=Data Engineering, O=Data Engineering Minds, L=beijing, ST=beijing, C=CN",
    "subject public key" : "RSA"}
]
)
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.598 CST|Logger.java:765|Consuming ECDH ServerKeyExchange handshake message (
"ECDH ServerKeyExchange": {
  "parameters": {
    "named group": "secp256r1"
    "ecdh public": {
      0000: 04 55 D1 D5 08 F8 F5 29   A9 7E AE A7 93 23 5D 62  .U.....).....#]b
      0010: CF 3C CF 0A 1C 87 BD F4   23 8D FE CB D1 91 D5 F2  .<......#.......
      0020: 82 29 9C B3 9C E1 01 B8   5F BD 17 04 52 D5 42 01  .)......_...R.B.
      0030: 3E ED ED 7C D6 79 AB 59   E0 00 93 9E B3 B1 B3 51  >....y.Y.......Q
      0040: BE                                                 .
    },
  },
  "digital signature":  {
    "signature algorithm": "rsa_pss_rsae_sha256"
    "signature": {
      0000: 0A D5 B3 0E 89 C4 9E 77   AF F1 F9 09 96 04 66 63  .......w......fc
      0010: 76 2D 1D C7 33 90 D6 B5   06 3B AA 0D 54 D1 6E 89  v-..3....;..T.n.
      0020: 44 04 05 B4 D3 66 AB B7   1E 2C 8D D6 0D 3F 3A 10  D....f...,...?:.
      0030: A7 39 1C BC FB 77 CD A9   1C 83 EF B6 1B 5B 21 0C  .9...w.......[!.
      0040: 4A 89 F3 86 3E D9 9F 29   7C BE B3 E0 0B 0F 56 85  J...>..)......V.
      0050: 63 A0 DE 7C 0A 87 71 30   E8 37 08 6C 10 7E 6B A9  c.....q0.7.l..k.
      0060: 1E BF 4D DF F3 CD 7F 2E   C3 71 14 A7 F8 94 9A 7C  ..M......q......
      0070: A2 B4 6C A0 B1 AB B2 93   F7 AB B9 7F 4D 01 E5 4F  ..l.........M..O
      0080: 18 80 B9 73 65 0B 46 22   8D A6 7F AD A6 71 58 D4  ...se.F".....qX.
      0090: 85 B7 31 2A 65 D4 F4 90   EA E8 75 AD 1D BD DB 2F  ..1*e.....u..../
      00A0: 38 B9 98 D1 0B B8 E6 5D   1D EA A6 57 08 C0 72 6C  8......]...W..rl
      00B0: A5 2B 37 2A 44 97 BD 57   B8 4A E4 F8 DB DE 97 B7  .+7*D..W.J......
      00C0: A1 E7 D5 5F BC 37 93 BC   6A CB 41 C9 C9 90 6D 09  ..._.7..j.A...m.
      00D0: 98 82 94 27 FF 1B 2C AC   CF 44 9A 97 8E 8A 4C 6F  ...'..,..D....Lo
      00E0: 82 B7 38 BA 3B EA F6 4B   FF 23 44 2F 96 D6 7D 41  ..8.;..K.#D/...A
      00F0: 4F 24 AC 83 6D A0 3E 4C   C8 CF 80 11 04 1A 0E BE  O$..m.>L........
    },
  }
}
)
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.599 CST|Logger.java:765|Consuming CertificateRequest handshake message (
"CertificateRequest": {
  "certificate types": [ecdsa_sign, rsa_sign, dss_sign]
  "supported signature algorithms": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
  "certificate authorities": [[email protected], CN=ca-cert, OU=Data Engineering, O=Data Engineering Minds, L=beijing, ST=beijing, C=CN]
}
)
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.599 CST|Logger.java:765|No X.509 cert selected for EC
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.599 CST|Logger.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.600 CST|Logger.java:765|No X.509 cert selected for EC
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.600 CST|Logger.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.600 CST|Logger.java:765|No X.509 cert selected for EC
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.600 CST|Logger.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.600 CST|Logger.java:765|No X.509 cert selected for RSA
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.600 CST|Logger.java:765|Unavailable authentication scheme: rsa_pss_rsae_sha256
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.600 CST|Logger.java:765|No X.509 cert selected for RSA
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.600 CST|Logger.java:765|Unavailable authentication scheme: rsa_pss_rsae_sha384
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.600 CST|Logger.java:765|No X.509 cert selected for RSA
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.600 CST|Logger.java:765|Unavailable authentication scheme: rsa_pss_rsae_sha512
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.600 CST|Logger.java:765|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.601 CST|Logger.java:765|Unavailable authentication scheme: rsa_pss_pss_sha256
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.601 CST|Logger.java:765|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.601 CST|Logger.java:765|Unavailable authentication scheme: rsa_pss_pss_sha384
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.601 CST|Logger.java:765|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.601 CST|Logger.java:765|Unavailable authentication scheme: rsa_pss_pss_sha512
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.601 CST|Logger.java:765|No X.509 cert selected for RSA
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.601 CST|Logger.java:765|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.601 CST|Logger.java:765|No X.509 cert selected for RSA
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.601 CST|Logger.java:765|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.602 CST|Logger.java:765|No X.509 cert selected for RSA
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.602 CST|Logger.java:765|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.602 CST|Logger.java:765|No X.509 cert selected for DSA
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.602 CST|Logger.java:765|Unavailable authentication scheme: dsa_sha256
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.602 CST|Logger.java:765|No X.509 cert selected for EC
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.602 CST|Logger.java:765|Unavailable authentication scheme: ecdsa_sha224
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.602 CST|Logger.java:765|No X.509 cert selected for RSA
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.602 CST|Logger.java:765|Unavailable authentication scheme: rsa_sha224
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.602 CST|Logger.java:765|No X.509 cert selected for DSA
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.602 CST|Logger.java:765|Unavailable authentication scheme: dsa_sha224
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.603 CST|Logger.java:765|No X.509 cert selected for EC
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.603 CST|Logger.java:765|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.603 CST|Logger.java:765|No X.509 cert selected for RSA
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.603 CST|Logger.java:765|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.603 CST|Logger.java:765|No X.509 cert selected for DSA
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.603 CST|Logger.java:765|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|WARNING|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.603 CST|Logger.java:765|No available authentication scheme
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.603 CST|Logger.java:765|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.604 CST|Logger.java:765|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.604 CST|Logger.java:765|Produced client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.615 CST|Logger.java:765|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
  "ecdh public": {
    0000: 04 29 FA CB 9E 8E D6 D9   FD 00 20 89 CC 05 C4 5E  .)........ ....^
    0010: 52 D7 0B CE 62 4D 72 A7   AE 9A 8B 08 B3 2A EB 25  R...bMr......*.%
    0020: 86 2D 82 C9 EA 76 EA 5A   D5 51 3B 20 70 6C 8A 6F  .-...v.Z.Q; pl.o
    0030: D0 23 55 CD 26 E8 1C 35   08 F2 4D 2B 8C CC 09 1E  .#U.&..5..M+....
    0040: DC                                                 .
  },
}
)
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.628 CST|Logger.java:765|Produced ChangeCipherSpec message
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.628 CST|Logger.java:765|Produced client Finished handshake message (
"Finished": {
  "verify data": {
    0000: 37 14 C6 3B D8 8E 82 3C   B2 66 72 AE
  }'}
)
javax.net.ssl|FINE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.648 CST|Logger.java:765|Received alert message (
"Alert": {
  "level"      : "fatal",
  "description": "bad_certificate"
}
)
javax.net.ssl|SEVERE|17|nioEventLoopGroup-2-1|2021-01-21 18:16:22.649 CST|Logger.java:765|Fatal (BAD_CERTIFICATE): Received fatal alert: bad_certificate (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.Alert.createSSLException(Alert.java:117)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
        at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
        at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:575)
        at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:531)
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:398)
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:377)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626)
        at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1324)
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1219)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1266)
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.lang.Thread.run(Thread.java:748)}

)
[2021-01-21 18:16:22,651] WARN Exception caught (org.apache.zookeeper.ClientCnxnSocketNetty)
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
:

server.log

[2021-01-21 18:15:37,482] INFO bound to port 2182 (org.apache.zookeeper.server.NettyServerCnxnFactory)
[2021-01-21 18:15:37,483] INFO Using checkIntervalMs=60000 maxPerMinute=10000 (org.apache.zookeeper.server.ContainerManager)
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.402 CST|Logger.java:765|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|FINE|03|Finalizer|2021-01-21 18:16:22.477 CST|Logger.java:765|duplex close of SSLSocket
javax.net.ssl|WARNING|03|Finalizer|2021-01-21 18:16:22.478 CST|Logger.java:765|SSLSocket duplex close failed (
"throwable" : {
  java.net.SocketException: Socket is not connected
        at java.net.Socket.shutdownOutput(Socket.java:1571)
        at sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(BaseSSLSocketImpl.java:232)
        at sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:553)
        at sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:471)
        at sun.security.ssl.BaseSSLSocketImpl.finalize(BaseSSLSocketImpl.java:275)
        at java.lang.System$2.invokeFinalize(System.java:1273)
        at java.lang.ref.Finalizer.runFinalizer(Finalizer.java:102)
        at java.lang.ref.Finalizer.access$100(Finalizer.java:34)
        at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:217)}

)
javax.net.ssl|WARNING|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.499 CST|Logger.java:765|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.499 CST|Logger.java:765|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.501 CST|Logger.java:765|Consuming ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "C5 14 D8 F4 7A E4 7C 6D 6F 2D 0D 98 A7 8B 83 F7 B9 1C 7B DC 80 49 AE 1E 2E 47 B2 3E 4E 11 CD 14",
  "session id"          : "",
  "cipher suites"       : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "supported_groups (10)": {
      "versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.2, TLSv1.1, TLSv1]
    }
  ]
}
)
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.501 CST|Logger.java:765|Consumed extension: supported_versions
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.502 CST|Logger.java:765|Negotiated protocol version: TLSv1.2
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.502 CST|Logger.java:765|Ignore unavailable extension: server_name
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.502 CST|Logger.java:765|Ignore unavailable extension: max_fragment_length
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.502 CST|Logger.java:765|Ignore unavailable extension: status_request
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.502 CST|Logger.java:765|Consumed extension: supported_groups
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.502 CST|Logger.java:765|Consumed extension: ec_point_formats
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.502 CST|Logger.java:765|Consumed extension: signature_algorithms
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.502 CST|Logger.java:765|Consumed extension: signature_algorithms_cert
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.502 CST|Logger.java:765|Ignore unavailable extension: status_request_v2
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.503 CST|Logger.java:765|Consumed extension: extended_master_secret
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.503 CST|Logger.java:765|Consumed extension: supported_versions
javax.net.ssl|ALL|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.503 CST|Logger.java:765|Safe renegotiation, using the SCSV signgling
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.504 CST|Logger.java:765|Ignore unavailable extension: server_name
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.504 CST|Logger.java:765|Ignore unavailable extension: max_fragment_length
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.505 CST|Logger.java:765|Ignore unavailable extension: status_request
javax.net.ssl|WARNING|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.505 CST|Logger.java:765|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|WARNING|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.505 CST|Logger.java:765|Ignore impact of unsupported extension: ec_point_formats
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.505 CST|Logger.java:765|Populated with extension: signature_algorithms
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.506 CST|Logger.java:765|Populated with extension: signature_algorithms_cert
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.506 CST|Logger.java:765|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.506 CST|Logger.java:765|Ignore unavailable extension: status_request_v2
javax.net.ssl|WARNING|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.506 CST|Logger.java:765|Ignore impact of unsupported extension: extended_master_secret
javax.net.ssl|WARNING|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.506 CST|Logger.java:765|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.506 CST|Logger.java:765|Ignore unavailable extension: renegotiation_info
javax.net.ssl|ALL|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.508 CST|Logger.java:765|No X.509 cert selected for EC
javax.net.ssl|ALL|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.508 CST|Logger.java:765|No X.509 cert selected for EC
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.521 CST|Logger.java:765|use cipher suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.525 CST|Logger.java:765|Staping disabled or is a resumed session
javax.net.ssl|ALL|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.526 CST|Logger.java:765|Ignore unavailable extension: server_name
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.526 CST|Logger.java:765|Ignore, context unavailable extension: server_name
javax.net.ssl|ALL|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.526 CST|Logger.java:765|Ignore unavailable max_fragment_length extension
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.526 CST|Logger.java:765|Ignore, context unavailable extension: max_fragment_length
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.526 CST|Logger.java:765|Ignore, context unavailable extension: status_request
javax.net.ssl|WARNING|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.526 CST|Logger.java:765|Ignore, no extension producer defined: ec_point_formats
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.527 CST|Logger.java:765|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.527 CST|Logger.java:765|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.527 CST|Logger.java:765|Ignore, context unavailable extension: status_request_v2
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.527 CST|Logger.java:765|Produced ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "E2 CE 78 AF 6A 30 38 D4 22 9E 6D A3 A4 68 BA 5D E4 00 1F B7 71 EA 6E F8 56 EC 7C FC C2 B7 C5 AB",
  "session id"          : "11 A9 8D 56 C8 00 D7 D1 FE 1E FF 63 85 F4 5D D7 D7 95 2D 14 8A FC 44 92 71 3A 88 9F 2A 3A 26 F8",
  "cipher suite"        : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",
  "compression methods" : "00",
  "extensions"          : [
    "extended_master_secret (23)": {
      <empty>
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}
)
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.532 CST|Logger.java:765|Produced server Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v1",
    "serial number"      : "00 C0 74 9E 08 59 A6 D3 A3",
    "signature algorithm": "SHA1withRSA",
    "issuer"             : "[email protected], CN=ca-cert, OU=Data Engineering, O=Data Engineering Minds, L=beijing, ST=beijing, C=CN",
    "not before"         : "2021-01-21 11:13:48.000 CST",
    "not  after"         : "2031-01-19 11:13:48.000 CST",
    "subject"            : "CN=localhost, OU=Data Engineering, O=Data Engineering Minds, L=beijing, ST=beijing, C=CN",
    "subject public key" : "RSA"},
  "certificate" : {
    "version"            : "v1",
    "serial number"      : "00 B2 57 F5 2F 07 E2 6A 41",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "[email protected], CN=ca-cert, OU=Data Engineering, O=Data Engineering Minds, L=beijing, ST=beijing, C=CN",
    "not before"         : "2021-01-21 11:01:15.000 CST",
    "not  after"         : "2031-01-19 11:01:15.000 CST",
    "subject"            : "[email protected], CN=ca-cert, OU=Data Engineering, O=Data Engineering Minds, L=beijing, ST=beijing, C=CN",
    "subject public key" : "RSA"}
]
)
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.553 CST|Logger.java:765|Produced ECDH ServerKeyExchange handshake message (
"ECDH ServerKeyExchange": {
  "parameters": {
    "named group": "secp256r1"
    "ecdh public": {
      0000: 04 55 D1 D5 08 F8 F5 29   A9 7E AE A7 93 23 5D 62  .U.....).....#]b
      0010: CF 3C CF 0A 1C 87 BD F4   23 8D FE CB D1 91 D5 F2  .<......#.......
      0020: 82 29 9C B3 9C E1 01 B8   5F BD 17 04 52 D5 42 01  .)......_...R.B.
      0030: 3E ED ED 7C D6 79 AB 59   E0 00 93 9E B3 B1 B3 51  >....y.Y.......Q
      0040: BE                                                 .
    },
  },
  "digital signature":  {
    "signature algorithm": "rsa_pss_rsae_sha256"
    "signature": {
      0000: 0A D5 B3 0E 89 C4 9E 77   AF F1 F9 09 96 04 66 63  .......w......fc
      0010: 76 2D 1D C7 33 90 D6 B5   06 3B AA 0D 54 D1 6E 89  v-..3....;..T.n.
      0020: 44 04 05 B4 D3 66 AB B7   1E 2C 8D D6 0D 3F 3A 10  D....f...,...?:.
      0030: A7 39 1C BC FB 77 CD A9   1C 83 EF B6 1B 5B 21 0C  .9...w.......[!.
      0040: 4A 89 F3 86 3E D9 9F 29   7C BE B3 E0 0B 0F 56 85  J...>..)......V.
      0050: 63 A0 DE 7C 0A 87 71 30   E8 37 08 6C 10 7E 6B A9  c.....q0.7.l..k.
      0060: 1E BF 4D DF F3 CD 7F 2E   C3 71 14 A7 F8 94 9A 7C  ..M......q......
      0070: A2 B4 6C A0 B1 AB B2 93   F7 AB B9 7F 4D 01 E5 4F  ..l.........M..O
      0080: 18 80 B9 73 65 0B 46 22   8D A6 7F AD A6 71 58 D4  ...se.F".....qX.
      0090: 85 B7 31 2A 65 D4 F4 90   EA E8 75 AD 1D BD DB 2F  ..1*e.....u..../
      00A0: 38 B9 98 D1 0B B8 E6 5D   1D EA A6 57 08 C0 72 6C  8......]...W..rl
      00B0: A5 2B 37 2A 44 97 BD 57   B8 4A E4 F8 DB DE 97 B7  .+7*D..W.J......
      00C0: A1 E7 D5 5F BC 37 93 BC   6A CB 41 C9 C9 90 6D 09  ..._.7..j.A...m.
      00D0: 98 82 94 27 FF 1B 2C AC   CF 44 9A 97 8E 8A 4C 6F  ...'..,..D....Lo
      00E0: 82 B7 38 BA 3B EA F6 4B   FF 23 44 2F 96 D6 7D 41  ..8.;..K.#D/...A
      00F0: 4F 24 AC 83 6D A0 3E 4C   C8 CF 80 11 04 1A 0E BE  O$..m.>L........
    },
  }
}
)
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.554 CST|Logger.java:765|Produced CertificateRequest handshake message (
"CertificateRequest": {
  "certificate types": [ecdsa_sign, rsa_sign, dss_sign]
  "supported signature algorithms": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
  "certificate authorities": [[email protected], CN=ca-cert, OU=Data Engineering, O=Data Engineering Minds, L=beijing, ST=beijing, C=CN]
}
)
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.554 CST|Logger.java:765|Produced ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|FINE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.644 CST|Logger.java:765|Consuming client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|SEVERE|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.645 CST|Logger.java:765|Fatal (BAD_CERTIFICATE): Empty server certificate chain (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Empty server certificate chain
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.Alert.createSSLException(Alert.java:117)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:390)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:955)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:902)
        at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1494)
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1508)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1392)
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1219)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1266)
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.lang.Thread.run(Thread.java:748)}

)
[2021-01-21 18:16:22,645] ERROR Unsuccessful handshake with session 0x0 (org.apache.zookeeper.server.NettyServerCnxnFactory)
javax.net.ssl|WARNING|26|nioEventLoopGroup-7-1|2021-01-21 18:16:22.647 CST|Logger.java:765|outbound has closed, ignore outbound application data
[2021-01-21 18:16:22,648] WARN Exception caught (org.apache.zookeeper.server.NettyServerCnxnFactory)
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Empty server certificate chain
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
:

0 replies

scholzj · 2021-01-21T11:10:25Z

scholzj
Jan 21, 2021
Maintainer

Does this:

[2021-01-21 18:16:22,212] WARN zookeeper.ssl.keyStore.location not specified (org.apache.zookeeper.common.X509Util)
[2021-01-21 18:16:22,212] WARN zookeeper.ssl.trustStore.location not specified (org.apache.zookeeper.common.X509Util)

suggest that the client does not know about the keystore / truststore?

0 replies

lanzhiwang · 2021-01-23T15:03:21Z

lanzhiwang
Jan 23, 2021
Author

apache-zookeeper-3.5.9
kafka_2.12-2.5.0

The same set of certificates is valid in zookeeper

zoo.cfg

# TLS options
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
authProvider.x509=org.apache.zookeeper.server.auth.X509AuthenticationProvider
ssl.clientAuth=need
ssl.quorum.clientAuth=need
secureClientPort=2281
sslQuorum=true

ssl.trustStore.location=./ssl/kafka.zookeeper.truststore.jks
ssl.trustStore.password=xxx
# ssl.trustStore.type=PKCS12
ssl.quorum.trustStore.location=./ssl/kafka.zookeeper.truststore.jks
ssl.quorum.trustStore.password=xxx
# ssl.quorum.trustStore.type=PKCS12

ssl.keyStore.location=./ssl/kafka.zookeeper.keystore.jks
ssl.keyStore.password=xxx
# ssl.keyStore.type=PKCS12
ssl.quorum.keyStore.location=./ssl/kafka.zookeeper.keystore.jks
ssl.quorum.keyStore.password=xxx
# ssl.quorum.keyStore.type=PKCS12

Use zkCli.sh to connect normally

# zkCli.sh

export CLIENT_JVMFLAGS="
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.client.secure=true
-Dzookeeper.ssl.keyStore.location=./ssl/kafka.zookeeper-client.keystore.jks
-Dzookeeper.ssl.keyStore.password=xxx
-Dzookeeper.ssl.trustStore.location=./ssl/kafka.zookeeper-client.truststore.jks
-Dzookeeper.ssl.trustStore.password=xxx"

But the broker will make an error when connecting to zookeeper

# server.properties

# TLS broker <--> zookeeper
zookeeper.ssl.client.enable=true
# zookeeper.set.acl=true
zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
zookeeper.ssl.keyStore.location=./ssl/kafka.zookeeper-client.keystore.jks
zookeeper.ssl.keyStore.password=xxx
zookeeper.ssl.trustStore.location=./ssl/kafka.zookeeper-client.truststore.jks
zookeeper.ssl.trustStore.password=xxx

0 replies

iMajna · 2021-09-10T13:34:06Z

iMajna
Sep 10, 2021

@lanzhiwang have you managed to fix this one?

0 replies

audisport · 2021-11-01T12:34:46Z

audisport
Nov 1, 2021

You need to read that there is a truststore, what it is used for.
And you will immediately understand what is wrong!

0 replies

mertiyidogan · 2022-06-12T13:42:13Z

mertiyidogan
Jun 12, 2022

Hi,
I have the same issue. Did you solve it?

1 reply

mertiyidogan Jun 12, 2022

[root@natica truststore]# zookeeper-shell confluent.local:2182 -zk-tls-config-file /data/confluent-7.1.1/etc/kafka/zookeeper-client.properties
Connecting to confluent.local:2182
Welcome to ZooKeeper!
JLine support is disabled
[2022-06-12 16:38:50,471] WARN zookeeper.ssl.keyStore.location not specified (org.apache.zookeeper.common.X509Util)
[2022-06-12 16:38:50,472] WARN zookeeper.ssl.trustStore.location not specified (org.apache.zookeeper.common.X509Util)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Strimzi

zookeeper two-way ssl authentication error Received fatal alert: bad_certificate #4289

{{title}}

Replies: 7 comments 1 reply

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Strimzi

zookeeper two-way ssl authentication error Received fatal alert: bad_certificate #4289

lanzhiwang Jan 20, 2021

zookeeper server security

zookeeper client security

Replies: 7 comments · 1 reply

scholzj Jan 20, 2021 Maintainer

lanzhiwang Jan 21, 2021 Author

client.log

server.log

scholzj Jan 21, 2021 Maintainer

lanzhiwang Jan 23, 2021 Author

iMajna Sep 10, 2021

audisport Nov 1, 2021

mertiyidogan Jun 12, 2022

mertiyidogan Jun 12, 2022

lanzhiwang
Jan 20, 2021

Replies: 7 comments 1 reply

scholzj
Jan 20, 2021
Maintainer

lanzhiwang
Jan 21, 2021
Author

scholzj
Jan 21, 2021
Maintainer

lanzhiwang
Jan 23, 2021
Author

iMajna
Sep 10, 2021

audisport
Nov 1, 2021

mertiyidogan
Jun 12, 2022