kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antony A <antonyaugus...@gmail.com>
Subject Re: kafka security using ssl
Date Thu, 22 Aug 2019 14:50:20 GMT
Is ExtendedKeyUsages an issue for Kafka?

#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

The certificate itself has the CA in the chain.



On Thu, Aug 22, 2019 at 6:51 AM Pere Urbón Bayes <pere.urbon@gmail.com>
wrote:

> can you share your certificate content somehow? i should ask, is it
> properly signed with the ca? can you share as well the current error.
>
> -- Pere
>
> On Thu, 22 Aug 2019, 14:47 Antony A <antonyaugustus@gmail.com> wrote:
>
> > Yes. The truststore has the CA. The keystore has the CA, PRIVATE KEY used
> > to create the CSR and the SERVER CERT.
> >
> > Sent from my iPhone
> >
> > > On Aug 22, 2019, at 6:44 AM, Pere Urbón Bayes <pere.urbon@gmail.com>
> > wrote:
> > >
> > > you should verify a proper chain of validation. is your private ca cert
> > in
> > > your trust store?
> > >
> > >> On Thu, 22 Aug 2019, 14:40 Antony A <antonyaugustus@gmail.com> wrote:
> > >>
> > >> Hi,
> > >>
> > >> I was able to get the broker running if I used a CA created as shown
> in
> > >> the example below.
> https://kafka.apache.org/documentation/#security_ssl
> > >>
> > >> The issue I am facing is when I used my internal CA. Not sure what I
> am
> > >> missing when I am creating the certificate.
> > >>
> > >> Thanks.
> > >>
> > >> Sent from my iPhone
> > >>
> > >>> On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes <pere.urbon@gmail.com
> >
> > >> wrote:
> > >>>
> > >>> Hi,
> > >>>  the error looks like a missing configuration value. A good source
of
> > >>> examples how to set up security can be found at
> > >>> https://github.com/purbon/kafka-security-playbook or
> > >>> https://docs.confluent.io/current/kafka/authentication_ssl.html.
> > >>>
> > >>> i would verify them and see if you're using the same configuration
> and
> > >>> properly setup certificate stores.
> > >>>
> > >>> I hope it helps,
> > >>>
> > >>> -- Pere
> > >>>
> > >>>> On Thu, 22 Aug 2019, 05:49 Antony A <antonyaugustus@gmail.com>
> wrote:
> > >>>>
> > >>>> Hi,
> > >>>>
> > >>>> I have followed the steps to secure the brokers using SSL. I have
> > signed
> > >>>> the server certificate using internal CA. I have the keystore with
> > >> server
> > >>>> certificate, private key and the CA. Also the truststore has only
> the
> > >> CA.
> > >>>>
> > >>>> Unfortunately I am unable to start the broker with the following
> > server
> > >>>> properties
> > >>>>
> > >>>> isteners=SSL://:9092
> > >>>> security.inter.broker.protocol=SSL
> > >>>> ssl.client.auth=required
> > >>>>
> > >>>> ssl.truststore.location=/tmp/kafka.server.truststore.jks
> > >>>> ssl.truststore.password=password
> > >>>> ssl.keystore.location=/tmp/kafka.server.keystore.jks
> > >>>> ssl.keystore.password=password
> > >>>> ssl.key.password=password
> > >>>>
> > >>>> # ACLs
> > >>>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> > >>>> super.users=User:kafkabroker
> > >>>>
> > >>>>
> > >>>> Here is the error in the logs
> > >>>>
> > >>>> org.apache.kafka.common.KafkaException:
> > >>>> org.apache.kafka.common.config.ConfigException: Invalid value
> > >>>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
for
> > >>>> configuration A client SSLEngine created with the provided settings
> > >> can't
> > >>>> connect to a server SSLEngine created with those settings.
> > >>>>
> > >>>> Any pointers on what to do?
> > >>>>
> > >>>> Thanks,
> > >>>> Antony
> > >>>>
> > >>>> PS: Kafka Version 2.3
> > >>>>
> > >>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message