Hi everyone, I'm new to ... pretty much everything in the Zookeeper world. I'm an experienced DevOps engineer, but I never had to administer Java based services without either Tomcat or nginx as a SSL proxy involved. What I am currently trying to do is to setup a Zookeeper Cluster of 3 nodes to be utilised by a Kafka Cluster, as soon as everything is in place.
Following some guides (like [1] and [2]), I'm still confused with the whole way, Java (or at least Zookeeper) deals with setting up SSL/TLS. I already understood, that it's not designed to point to some certificate and key-/chain-files directly but have it added to some Java Keystore/Truststore in a specific format instead because of ... reasons. But I do not find really specific instructions about how to do that in particular, which is why it leaves me with the following questions: 1. ACME.sh I am using acme.sh [3] to receive Let's Encrypt certificates to be used with Zookeeper. This generates several files (certificate, private key, ca-certificate, ...) in PEM format. From what I understood so far (mostly from [4]), these individual files must be added to a PKCS12 archive first, before importing that archive to the application's keystore then. This seems to work with the commands shown in [4], but I am not sure this is the correct way, since I never saw it working yet. 2. What's in the Keystore, what's in the Truststore? From what I understood, the keystore is where applications have their secrets in (like certificate, key and so on) and in the truststore, they need to have the root- and intermediate certificate chains to validate certificates presented to it to be able to validate the signature of the signer. In the non-Java world, this means that the Keystore is similar to the Certificate and Key file you feed to applications like Apache httpd and nginx and the truststore is similar to the loose files in `/etc/ssl/certs` or `/etc/pki/tls/certs`, correct?. 3. How does Zookeeper know which certs to pick? From what I found in the configuration examples in all tutorials and docs on TLS encryption for Zookeeper/Kafka, the only parameters to define the certificates to use are: * Which Keystore File to use * Which Truststore File to use * Which Passwords to use to access those JKS files Since a Keystore can hold an arbitrary count of certificates, it is a complete riddle to me, how the application decides which of the certificates to use. I can't find some configuration parameter which points to a specific alias in the Keystore or similar; even if that exists, most examples seem to be happy without defining it. How is this working? And what must be done or pay attention to to ensure the application picks the appropriate certificate? Especially when the service is reachable by different names (IP of the server, external DNS name, internal DNS name such as the hostname, ...)? Sorry for so many partially Java-Base questions. But I have no clue where to better ask these than in the project I'm currently struggling with. Best regards, Marc [1]: https://docs.confluent.io/platform/current/security/zk-security.html#encrypting-communication-to-zk-with-tls [2]: https://zookeeper.apache.org/doc/r3.5.5/zookeeperAdmin.html#Quorum+TLS [3]: https://github.com/acmesh-official/acme.sh [4]: https://ordina-jworks.github.io/security/2019/08/14/Using-Lets-Encrypt-Certificates-In-Java.html#using-the-certificates-in-a-java-application
