kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fang Xing <fang.x...@gmail.com>
Subject Re: How to provide certificate chain/intermediate CA to kafka broker
Date Fri, 09 Nov 2018 19:15:13 GMT
Hi Rohan,

Thanks for the quick response. I do have some troubles with providing
certificate chain to brokers... This is how I set up keystore and
truststore and provide them in server.properties

1. generate pkcs12 file for broker key/cert and cert chain
kafka-key is broker's private key
cert-signed is broker's cert signed by intermediate CA, which is signed by
a self-signed root CA
bundle-cert is concatenation of  brokers's cert(cert-signed), intermediate
CA's cert(ca1-cert) and root CA's(caroot-cert) cert

openssl pkcs12 -export -inkey kafka-key -in cert-signed -out
bundle-cert.pkcs12 -password pass:123456 -chain -CAfile bundle-cert

2. import pkcs12 file to broker's keystore

keytool -importkeystore -srckeystore bundle-cert.pkcs12 -srcstoretype
PKCS12 -destkeystore kafka.server.keystore.jks -deststorepass 123456
-srcstorepass 123456 -noprompt

3. import root CA's certificate to broker's trust store

 keytool -keystore kafka.server.truststore.jks -alias caroot -import -file
caroot-cert -storepass 123456 -noprompt

4. Provide them in server.properties

After the above 4 steps, brokers(I have 4 brokers) do not communicate with
each other, unless intermediate CA's cert is added to broker's truststore.

Then I use kafkacat try to produce data through SSL, and always errors out
no matter root CA's cert or intermediate CA's cert is provided, kafkacat's
cert is signed with intermediate CA's cert in this case. It looks like
there is problem with verifying the chain set in brokers.

[12:47:33][release@ip-10-0-32-125:]$ kafkacat -P -X
metadata.broker.list=hostname -X ssl.ca.location=ca1-cert -X
security.protocol=ssl -X ssl.certificate.location=kafkacat.pem -X
ssl.key.location=kafkacat.key -X ssl.key.password=123456 -b hostname:9093
-t topic_name -p 0 m-1.dat
%3|1541785738.749|FAIL|rdkafka#producer-1| [thrd:ssl://
10.0.32.125:9093/bootstrap]: ssl://10.0.32.125:9093/bootstrap: Failed to
verify broker certificate: self signed certificate in certificate chain
% ERROR: Local: SSL error: ssl://10.0.32.125:9093/bootstrap: Failed to
verify broker certificate: self signed certificate in certificate chain
% ERROR: Local: All broker connections are down: 1/1 brokers are down:
terminating
[12:48:58][release@ip-10-0-32-125:]$ kafkacat -P -X
metadata.broker.list=hostname -X ssl.ca.location=caroot-cert -X
security.protocol=ssl -X ssl.certificate.location=kafkacat.pem -X
ssl.key.location=kafkacat.key -X ssl.key.password=123456 -b hostname:9093
-t topic_name -p 0 m-1.dat
%3|1541785747.751|FAIL|rdkafka#producer-1| [thrd:ssl://
10.0.32.125:9093/bootstrap]: ssl://10.0.32.125:9093/bootstrap: Failed to
verify broker certificate: invalid CA certificate
% ERROR: Local: SSL error: ssl://10.0.32.125:9093/bootstrap: Failed to
verify broker certificate: invalid CA certificate
% ERROR: Local: All broker connections are down: 1/1 brokers are down:
terminating

Any clue what is going wrong?

Thanks! Fang

On Fri, Nov 9, 2018 at 12:57 PM Rohan Rasane <rohan.rasane@gmail.com> wrote:

> Hi Fang,
> You will need to create a CSR using the Private Key, then get that CSR
> signed by your Certs team which should be able to add the root and
> intermediate certs in the signed certs. Then you will have to add them to
> your stores on the host.
>
> Let me know if you have any specific questions.
>
> -Rohan
>
> On Fri, Nov 9, 2018 at 6:18 AM Fang Xing <fang.xing@gmail.com> wrote:
>
> > Hello,
> >
> > I'm looking for some instructions about setting SSL in Kafka with
> > certificate chains. There is instruction about settings for broker
> > certificate issued by a self-signed root CA, however I didn't find
> > information related to certificate chain.
> >
> > If the chain is like this: root ca -> intermediate ca -> kafka broker
> > certificate/key, how to setup the keystore and truststore to include
> > intermediate ca's certificate? Should it be put into keystore or
> truststore
> > in what format?
> >
> > Thanks! Fang
> >
>


-- 
Regards, Fang

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message