[
https://issues.apache.org/jira/browse/KAFKA-20025?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18049091#comment-18049091
]
Matthieu Nantern commented on KAFKA-20025:
------------------------------------------
[~fujian1115]
?? Do you mean that your controller fail to reload cert???
No, we don't have any errors when reloading the certs. The issue comes when we
restart the controllers and the broker needs to open new connections. It tries
but with an old certificate, the one present at the start of the process. And
because it tries to connect with an expired certificate, controllers are
rejecting the connection with a {{{}CertificateExpiredException{}}}.
??what's your controller work mode? Dynamic quorum or Static quorum??
My controller is configured as static quorum ({{{}controller.quorum.voters{}}}).
??what's your command for kafka-configs.sh???
We are using the following command to reload our broker certificates:
{color:#0073bf}kafka-configs.sh{color} \
--bootstrap-server
{color:#067d17}"{color}{color:#000000}$BOOTSTRAP_SERVER{color}{color:#067d17}"{color}
\
--entity-type brokers \
--entity-name
{color:#067d17}"{color}{color:#000000}$BROKER_ID{color}{color:#067d17}"{color} \
{color:#067d17}--command-config /etc/kafka/kafka-broker-acl-client.properties
{color}\--alter \
--add-config
{color:#067d17}"listener.name.{color}{color:#0033b3}${color}{LISTENER_NAME_LOWER}{color:#067d17}.ssl.keystore.location={color}{color:#0033b3}${color}{KEYSTORE_PATH}{color:#067d17},listener.name.{color}{color:#0033b3}${color}{LISTENER_NAME_LOWER}{color:#067d17}.ssl.truststore.location=/var/run/ca.crt"{color}
> Missing dynamic SSL reconfiguration support for KafkaRaftClient
> ---------------------------------------------------------------
>
> Key: KAFKA-20025
> URL: https://issues.apache.org/jira/browse/KAFKA-20025
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 3.9.1, 4.1.1
> Reporter: Matthieu Nantern
> Priority: Major
>
> Hi,
> I'd like to discuss a gap in the dynamic SSL reconfiguration support for
> KRaft mode that affects brokers connecting to the controller quorum.
> In KRaft mode, when SSL certificates are renewed and dynamically reloaded via
> {{{}kafka-configs.sh{}}}, the KafkaRaftClient (used by brokers to fetch
> cluster metadata from controllers as "observers" per KIP-853) does not pick
> up the new certificates.
> This causes SSL handshake failures with {{CertificateExpiredException}}
> errors, even though the reload command reports success.
>
> Error observed on broker:{{
> org.apache.kafka.common.errors.SslAuthenticationException: Failed to}}
> {{process post-handshake messages}}
> {{ Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert:}}
> {{certificate_unknown}}
> Error observed on controller:
> {{ Caused by: java.security.cert.CertificateExpiredException: NotAfter:}}
> {{Wed Dec 17 08:28:22 UTC 2025}}
> The SslChannelBuilder implements ListenerReconfigurable and supports
> dynamic SSL reconfiguration. However, in KafkaRaftManager, the channel
> builder is never registered with config.addReconfigurable().
> In contrast, {{NodeToControllerChannelManager}} (and other components)
> correctly registers the channel builder:
> NodeToControllerChannelManager.scala (trunk, lines 130-132):
> {{ channelBuilder match {}}
> {{ case reconfigurable: Reconfigurable =>}}
> {{config.addReconfigurable(reconfigurable)}}
> {{ case _ =>}}
> {{ }}}
> I checked that the issue exists in both Kafka 3.9.1 and current trunk (as
> of 2025-12-17).
> The only reliable workaround I found is to restart the Kafka broker when
> certificates are renewed. Has anyone else encountered this, or is there a
> reason this was intentionally left out?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
