Hi Rohan,
Thanks for the quick response. I do have some troubles with providing
certificate chain to brokers... This is how I set up keystore and
truststore and provide them in server.properties
1. generate pkcs12 file for broker key/cert and cert chain
kafka-key is broker's private key
cert-signed is broker's cert signed by intermediate CA, which is signed by
a self-signed root CA
bundle-cert is concatenation of brokers's cert(cert-signed), intermediate
CA's cert(ca1-cert) and root CA's(caroot-cert) cert
openssl pkcs12 -export -inkey kafka-key -in cert-signed -out
bundle-cert.pkcs12 -password pass:123456 -chain -CAfile bundle-cert
2. import pkcs12 file to broker's keystore
keytool -importkeystore -srckeystore bundle-cert.pkcs12 -srcstoretype
PKCS12 -destkeystore kafka.server.keystore.jks -deststorepass 123456
-srcstorepass 123456 -noprompt
3. import root CA's certificate to broker's trust store
keytool -keystore kafka.server.truststore.jks -alias caroot -import -file
caroot-cert -storepass 123456 -noprompt
4. Provide them in server.properties
After the above 4 steps, brokers(I have 4 brokers) do not communicate with
each other, unless intermediate CA's cert is added to broker's truststore.
Then I use kafkacat try to produce data through SSL, and always errors out
no matter root CA's cert or intermediate CA's cert is provided, kafkacat's
cert is signed with intermediate CA's cert in this case. It looks like
there is problem with verifying the chain set in brokers.
[12:47:33][***@ip-10-0-32-125:]$ kafkacat -P -X
metadata.broker.list=hostname -X ssl.ca.location=ca1-cert -X
security.protocol=ssl -X ssl.certificate.location=kafkacat.pem -X
ssl.key.location=kafkacat.key -X ssl.key.password=123456 -b hostname:9093
-t topic_name -p 0 m-1.dat
%3|1541785738.749|FAIL|rdkafka#producer-1| [thrd:ssl://
10.0.32.125:9093/bootstrap]: ssl://10.0.32.125:9093/bootstrap: Failed to
verify broker certificate: self signed certificate in certificate chain
% ERROR: Local: SSL error: ssl://10.0.32.125:9093/bootstrap: Failed to
verify broker certificate: self signed certificate in certificate chain
% ERROR: Local: All broker connections are down: 1/1 brokers are down:
terminating
[12:48:58][***@ip-10-0-32-125:]$ kafkacat -P -X
metadata.broker.list=hostname -X ssl.ca.location=caroot-cert -X
security.protocol=ssl -X ssl.certificate.location=kafkacat.pem -X
ssl.key.location=kafkacat.key -X ssl.key.password=123456 -b hostname:9093
-t topic_name -p 0 m-1.dat
%3|1541785747.751|FAIL|rdkafka#producer-1| [thrd:ssl://
10.0.32.125:9093/bootstrap]: ssl://10.0.32.125:9093/bootstrap: Failed to
verify broker certificate: invalid CA certificate
% ERROR: Local: SSL error: ssl://10.0.32.125:9093/bootstrap: Failed to
verify broker certificate: invalid CA certificate
% ERROR: Local: All broker connections are down: 1/1 brokers are down:
terminating
Any clue what is going wrong?
Thanks! Fang
Post by Rohan RasaneHi Fang,
You will need to create a CSR using the Private Key, then get that CSR
signed by your Certs team which should be able to add the root and
intermediate certs in the signed certs. Then you will have to add them to
your stores on the host.
Let me know if you have any specific questions.
-Rohan
Post by Fang XingHello,
I'm looking for some instructions about setting SSL in Kafka with
certificate chains. There is instruction about settings for broker
certificate issued by a self-signed root CA, however I didn't find
information related to certificate chain.
If the chain is like this: root ca -> intermediate ca -> kafka broker
certificate/key, how to setup the keystore and truststore to include
intermediate ca's certificate? Should it be put into keystore or
truststore
Post by Fang Xingin what format?
Thanks! Fang
--
Regards, Fang