Hi community,
We have an issue with KafkaIO in the case of using a secure connection SASL SSL
to the Confluent Kafka 5.5.1. When we trying to configure the Kafka consumer
using consumerFactoryFn, we have an irregular issue related to certificate
reads from the file system. Irregular means, that different Dataflow jobs with
the same parameters and certs might be failed and succeeded. Store cert types
for Keystore and Truststore are specified explicitly in consumer config. In our
case, it's JKS for both certs.
Stacktrase:
Caused by: org.apache.kafka.common.KafkaException: Failed to load SSL keystore
/tmp/kafka.truststore.jks of type JKS
at
org.apache.kafka.common.security.ssl.SslEngineBuilder$SecurityStore.load(SslEngineBuilder.java:289)
at
org.apache.kafka.common.security.ssl.SslEngineBuilder.createSSLContext(SslEngineBuilder.java:153)
... 23 more
Caused by: java.security.cert.CertificateException: Unable to initialize,
java.io.IOException: DerInputStream.getLength(): lengthTag=65, too big.
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:198)
at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)
at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:755)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at
sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at
sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at
org.apache.kafka.common.security.ssl.SslEngineBuilder$SecurityStore.load(SslEngineBuilder.java:286)
... 24 more
/tmp/kafka.truststore.jks is a path that’s used in consumerFactoryFn to load
certs from GCP to the worker's local file system.
Does anyone have any ideas on how to fix this issue?
Thank you,
Ilya
