I have a kafka client which uses ssl.
bootstrap.servers=kafka1:9093 security.protocol=SSL ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks ssl.truststore.password=test1234 ssl.keystore.location=/var/private/ssl/kafka.client.keystore.jks ssl.keystore.password=test1234 ssl.key.password=test1234
The jks files upgraded periodically,because they expire after a while. So the JKS is up to date all the time on the filesystem.
But the kafka client still uses the old jks, because it only reads it when the client is created.
Expired JKS doesn’t matter if:
- Is an ongoing session (because the handshake already happened at the beginning of the session)
- The client is restarted (it will pickup the new jks and do the handshake)
When in the middle of a session kafka broker is down and come back to life, the handshake process starts over again WITHOUT reading the JKS from the file-system causing a handshake error.
This leads to an unreliable KafkaClient if SSL is in place.
What is the solution?
Is there anything like
reconfigure method, it appears to be used only by the Kafka broker code.
In case of clients, it looks like you’d need to restart them, as the ChannelBuilder instance is configured only once, at startup.
Reference (Kafka 2.8):