打开cassandra节点间加密导致“无法与任何种子进行八卦”异常

Question

我正在尝试打开cassandra (2.1)节点间加密。出于测试目的，我正在尝试启动一个2节点集群。

我在两个独立的ec2实例上运行docker容器中的每个节点。如果没有节点间加密，一切都会按预期工作。

我使用以下脚本(取自https://docs.jboss.org/author/display/RHQ/Cassandra+Node+To+Node+Encryption?_sscc=t)生成ssl：

  for ((a=0; a < NUMBER_OF_NODES ; a++))
  do
     node_id=node${a}

     echo -e "Start building certificates for ${node_id}"
     echo -e "=========================================="
     rm -vf ./${node_id}.keystore
     rm -vf ./${node_id}.cer

     #1 Generate key and store
     ${java_folder}/keytool -genkey -v -keyalg RSA -keysize 1024 -alias ${node_id} -keystore ${node_id}.keystore -storepass "${node_id}store" -dname 'CN=RHQ' -keypass "${node_id}store" -validity 3650

     #2 Extract public certificate
     ${java_folder}/keytool -export -v -alias ${node_id} -file ${node_id}.cer -keystore ${node_id}.keystore -storepass "${node_id}store"

     #3 Add public certificate to global keystore
     ${java_folder}/keytool -import -v -trustcacerts -alias ${node_id} -file ${node_id}.cer -keystore global.truststore -storepass 'globalstore' -noprompt

     echo -e "========================================="
     echo -e "Done building certificates for ${node_id}\n\n"
  done

我还将以下配置添加到每个节点的cassandra.yml文件中(node0会相应地进行更改)：

server_encryption_options:
   internode_encryption: all
   keystore: /keystores/node0.keystore
   keystore_password: node0store
   truststore: /keystores/global.truststore
   truststore_password: globalstore

将node0配置为node1的种子。我启动了node0，并等待它启动，我没有看到任何异常，一切都像预期的那样工作。然后启动node1，它抛出以下代码(仅当调试级别设置为“trace”时)：

TRACE 08:14:16 unable to connect to 172.12.1.11/172.12.1.11
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
        at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:671) ~[na:1.7.0_65]
        at sun.security.ssl.InputRecord.read(InputRecord.java:504) ~[na:1.7.0_65]
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) ~[na:1.7.0_65]
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) ~[na:1.7.0_65]
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702) ~[na:1.7.0_65]
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) ~[na:1.7.0_65]
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) ~[na:1.7.0_65]
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) ~[na:1.7.0_65]
        at org.apache.cassandra.io.util.DataOutputStreamPlus.flush(DataOutputStreamPlus.java:55) ~[apache-cassandra-2.1.1.jar:2.1.1]
        at org.apache.cassandra.net.OutboundTcpConnection.connect(OutboundTcpConnection.java:347) [apache-cassandra-2.1.1.jar:2.1.1]
        at org.apache.cassandra.net.OutboundTcpConnection.run(OutboundTcpConnection.java:163) [apache-cassandra-2.1.1.jar:2.1.1]
TRACE 08:14:17 Expired 0 entries
TRACE 08:14:20 Expired 0 entries
TRACE 08:14:22 Expired 0 entries
TRACE 08:14:25 Expired 0 entries
TRACE 08:14:27 Expired 0 entries
TRACE 08:14:30 Expired 0 entries
TRACE 08:14:32 Expired 0 entries
DEBUG 08:14:34 Copy GC in 14ms.  CMS Old Gen: 9537256 -> 14901648; Eden Space: 41943040 -> 0; Survivor Space: 5242872 -> 5242880
TRACE 08:14:35 Expired 0 entries
ERROR 08:14:37 Exception encountered during startup
java.lang.RuntimeException: Unable to gossip with any seeds
        at org.apache.cassandra.gms.Gossiper.doShadowRound(Gossiper.java:1221) ~[apache-cassandra-2.1.1.jar:2.1.1]
        at org.apache.cassandra.service.StorageService.checkForEndpointCollision(StorageService.java:457) ~[apache-cassandra-2.1.1.jar:2.1.1]
        at org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:700) ~[apache-cassandra-2.1.1.jar:2.1.1]
        at org.apache.cassandra.service.StorageService.initServer(StorageService.java:637) ~[apache-cassandra-2.1.1.jar:2.1.1]
        at org.apache.cassandra.service.StorageService.initServer(StorageService.java:529) ~[apache-cassandra-2.1.1.jar:2.1.1]
        at org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:324) [apache-cassandra-2.1.1.jar:2.1.1]
        at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:443) [apache-cassandra-2.1.1.jar:2.1.1]
        at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:532) [apache-cassandra-2.1.1.jar:2.1.1]
java.lang.RuntimeException: Unable to gossip with any seeds
        at org.apache.cassandra.gms.Gossiper.doShadowRound(Gossiper.java:1221)
        at org.apache.cassandra.service.StorageService.checkForEndpointCollision(StorageService.java:457)
        at org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:700)
        at org.apache.cassandra.service.StorageService.initServer(StorageService.java:637)
        at org.apache.cassandra.service.StorageService.initServer(StorageService.java:529)
        at org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:324)
        at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:443)
        at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:532)
Exception encountered during startup: Unable to gossip with any seeds

还值得注意的是，在node0上，端口7001是开放的，可由node1访问。

Answer 1

通常情况下，问题与环境配置有关，而与实际的cassandra设置无关。

我在coreos集群上的docker容器中运行隔离的cassandra实例。我忘记了默认的etcd ssl端口和cassandra的默认ssl节点间通信端口都是7001。

将其中一个系统更改为使用备用端口号时，问题已解决。我认为错误消息可以更清楚(并且不需要跟踪调试级别)。更清晰的错误消息可以节省我追踪网络数据包以获取答案的时间。