By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IOT rule fails with KafkaAction failed to send a message to the specified bootstrap servers. Failed to process post-handshake messages.

0

Hi Team,

I am using IoT Rule to send messages on my self deployed SSL enabled kafka cluster topic but my IoT rule just fails with below error:

{
    "ruleName": "devops_iot_redpanda_test_6",
    "topic": "NEL/telemetry",
    "cloudwatchTraceId": "dcd97aa2-b524-70be-130f-88c82ab0ba48",
    "clientId": "N/A",
    "base64OriginalPayload": "xxx",
    "failures": [
        {
            "failedAction": "KafkaAction",
            "failedResource": "iot.redpanda.topic",
            "errorMessage": "KafkaAction failed to send a message to the specified bootstrap servers. Failed to process post-handshake messages. Message arrived on: NEL/telemetry, Action: kafka, topic: iot.redpanda.topic, bootstrap.servers: backbone-0.redpanda.devops.h2.theagilehub.net:31169,backbone-1.redpanda.devops.h2.theagilehub.net:31169,backbone-2.redpanda.devops.h2.theagilehub.net:31169"
        }
    ]
}
Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
Jyoti492
asked a year ago643 views
1 Answer
0
Accepted Answer

Hello,

I understand that you are attempting to use an IoT rule to send messages on self-deployed Kafka cluster topic, which is SSL-enabled. However, the IoT rule is failing and you are receiving the following error message:

"KafkaAction failed to send a message to the specified bootstrap servers. Failed to process post-handshake messages. Message arrived on: NEL/telemetry, Action: kafka, topic: iot.redpanda.topic, bootstrap.servers: backbone-0.redpanda.devops.h2.theagilehub.net:31169,backbone-1.redpanda.devops.h2.theagilehub.net:31169,backbone-2.redpanda.devops.h2.theagilehub.net:31169"

By making some changes in the VPC network configuration might help in this scenario and If you are using a self-signed CA for Kafka cluster, and providing it to the KafkaAction in IoT Core Rule via a PKCS12 formatted truststore stored in Secrets Manager as a binary secret, create a X.509 cert and private key from the self-signed CA, generate a keystore in PKCS12 format, and store it in Secrets Manager as a binary secret. To access the binaries from Secrets Manager, use the get_secret method in your rule's configuration. Your IAM role should have a policy allowing access to these secrets. As truststore and keystore are both password protected. And also try to switch to SSL from SASL_SSL or vice versa in different region and test it.

Please refer to the below link for more information on this security mechanism supported regions.

https://docs.aws.amazon.com/iot/latest/developerguide/apache-kafka-rule-action.html#apache-kafka-rule-action-parameters

Aws_user171999
answered a year ago
  • Jyoti492
    a year ago

    Thanks for ypur response.I do understand and have used that mainly .. but can you be more elaborative about the network setup which is required. Also if its a certificate issue the error should be related to SSL handshake isn't it true ?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content