Hi, I am using this command to test my zookeeper SSL connection:
openssl s_client -showcerts -connect 55.55.55.55:2280 -cert /root/ca-old3/intermediate/certs/intermediate.cert.pem -key /root/ca-old3/intermediate/private/intermediate.key.pem That works great and I have this msg "Authenticated" from the log: [2021-08-22 20:19:36,173] INFO Authenticated Id '1.2.44222.1.9.1=#16137365637572697479406b696e7374612e636f6d,OU=Engineering,O=Ltd,ST=CA,C=US' for Scheme 'x509' (org.apache.zookeeper.server.auth.X509AuthenticationProvider) So I assume that one is working properly. What if I don't want to use -cert and -key option from the openssl command? I tried: I tried that with these steps: 1. I chained kac-zookeeper_cluster.cert.pem and intermediate.cert.pem using this command: cat /root/myca/intermediate/certs/kac-zookeeper_cluster.cert.pem /root/ca-old3/intermediate/certs/intermediate.cert.pem > /root/ca-old3/intermediate/certs/bundle.cert.pem 2. So above we got bundled.cert.pem generated. Now I generated the PKCS12 file using this command: openssl pkcs12 -export -in /root/ca-old3/intermediate/certs/bundle.cert.pem -inkey /root/ca-old3/intermediate/private/kac-zookeeper_cluster.key.pem -out /root/ca-old3/intermediate/private/kac-zookeeper_cluster.p12 -name kac-zookeeper_cluster 3. Generated the jks file using this: keytool -importkeystore -srckeystore /root/ca-old3/intermediate/private/kac-zookeeper_cluster.p12 -srcstoretype PKCS12 -alias kac-zookeeper_cluster -destkeystore /root/ca-old3/intermediate/private/kac-zookeeper_cluster.jks 4. I copied the kac-zookeeper_cluster.jks in /certs 4. Ran the zookeeper server Got the same error: (this time I ran openssl command to test it without -cert and -key option. It will work/no error if I use those options) Output from openssl command: verify return:1 139869852853568:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1543:SSL alert number 42 Output from zookeeper log: Caused by: javax.net.ssl.SSLHandshakeException: Empty server certificate chain I thought combining/chaining the intermediate cert will fix it but nothing. Best regards, John Mark Causing
