3.5.9 -> Use PEM -> Empty server certificate chain -> Intermediate self sign

[Denny Fuchs]

Hello,

I try since days to get Zookeeper 3.5.9 running with PEM as 
key/truststore ..

the config:

.....
secureClientPort=2281
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.protocol=TLSv1.2
ssl.hostnameVerification=true
ssl.keyStore.location=/etc/ssl/private/example_local_chain.crt
ssl.keyStore.type=PEM
ssl.trustStore.location=/etc/ssl/certs/ca-certificates.crt
ssl.trustStore.type=PEM

sslQuorum=true
ssl.quorum.protocol=TLSv1.2
ssl.quorum.hostnameVerification=false
ssl.quorum.keyStore.location=/etc/ssl/private/example_local_chain.crt
ssl.quorum.keyStore.type=PEM
ssl.quorum.trustStore.type=PEM
ssl.quorum.trustStore.location=/etc/ssl/certs/ca-certificates.crt
....

With trying openssh s_client:

# root@fra-test-zoo-01:[~]: openssl s_client -connect 
fra-test-zoo-01.example.local:2281 -showcerts | grep -i bad
depth=1 C = DE, ST = Germany, L = Frankfurt am Main, O = example, OU = 
IT, CN = example.com
verify return:1
depth=0 C = DE, ST = Germany, L = Frankfurt am Main, O = example, OU = 
IT, CN = *.example.local
verify return:1
140431804573504:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert 
bad certificate:../ssl/record/rec_layer_s3.c:1544:SSL alert number 42

Zookeeper says:

2021-11-17 11:42:49,433 [myid:1] - ERROR 
[nioEventLoopGroup-7-4:NettyServerCnxnFactory$CertificateVerifier@363] - 
Unsuccessful handshake with session 0x0
2021-11-17 11:42:49,438 [myid:1] - WARN  
[nioEventLoopGroup-7-4:NettyServerCnxnFactory$CnxnChannelHandler@220] - 
Exception caught
io.netty.handler.codec.DecoderException: 
javax.net.ssl.SSLHandshakeException: Empty server certificate chain
	at 
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471)
	at 
io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
	at 
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at 
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at 
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at 
io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
	at 
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at 
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at 
io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at 
io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
	at 
io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
	at 
io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
	at 
io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
	at 
io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
	at 
io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at 
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.net.ssl.SSLHandshakeException: Empty server certificate 
chain
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
	at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:336)
	at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
	at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:283)
	at 
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:390)
	at 
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
	at 
java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at 
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
	at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
	at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
	at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
	at 
io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1542)
	at 
io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1556)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1440)
	at 
io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314)
	at 
io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
	at 
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
        ... 17 more

If I try:

openssl s_client   -connect fra-test-zoo-01.example.local:2281 
-showcerts -cert /etc/ssl/private/example_chain.crt

it just works ... as zookeeper says:

2021-11-17 11:47:42,325 [myid:1] - INFO  
[nioEventLoopGroup-7-4:X509AuthenticationProvider@172] - Authenticated 
Id 'CN=*.example.local,OU=IT,O=example solutions GmbH,L=Frankfurt am 
Main,ST=Germany,C=DE' for Scheme 'x509'


My cert file contains:

*.example.local
*.example.com (CA which signed *.example.local)
private key in PKCS#8

I have no idea .. how to get it running .. as Kafka is also not happy .. 
about this " Empty server certificate chain"

Any suggestions ?

cu denny