Hi, Can Kakfa support multiple CA certs on broker. If yes, can you please point me to an example.
Producer signed with second CA (CA2) is failing. Client signed with CA1 is working fine. kafka-console-producer --broker-list kafka.example.com:9093 --topic oem2-kafka --producer.config /etc/kafka/oem_producer_ssl.properties hello oem2 are you there [2016-07-15 23:01:04,643] ERROR Error when sending message to topic oem2-kafka with key: null, value: 15 bytes with error: Failed to update metadata after 60000 ms. (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback) [2016-07-15 23:02:04,646] ERROR Error when sending message to topic oem2-kafka with key: null, value: 17 bytes with error: Failed to update metadata after 60000 ms. (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback) Any suggestions? ---------- Server shows two CA names, but only one subject/issuer name. openssl s_client -debug -connect localhost:9093 -tls1 subject=/C=GB/ST=London/L=London/O=Confluent/OU=Broker/CN=kafka.example.com issuer=/CN=ca.example.com/L=London/ST=London/C=GB --- Acceptable client certificate CA names /CN=ca.example.com/L=London/ST=London/C=GB /CN=ca2.example.com/L=London/ST=London/C=GB Here is my configuration: kafka.server.truststore.jks: 2 entries CA1: C=GB, ST=London, L=London, CN=ca.example.com CA2: C=GB, ST=London, L=London, CN=ca2.example.com kafka.server.keystore.jks: 4 entries Alias name: ca2root Owner: C=GB, ST=London, L=London, CN=ca2.example.com Issuer: C=GB, ST=London, L=London, CN=ca2.example.com Alias name: caroot Owner: C=GB, ST=London, L=London, CN=ca.example.com Issuer: C=GB, ST=London, L=London, CN=ca.example.com Alias name: kafka.example.com Certificate chain length: 2 Certificate[1]: Owner: CN=kafka.example.com, OU=Broker, O=Confluent, L=London, ST=London, C=GB Issuer: C=GB, ST=London, L=London, CN=ca.example.com Alias name: oemkafka.example.com Certificate chain length: 2 Certificate[1]: Owner: CN=kafka.example.com, OU=oemBroker, O=Confluent, L=London, ST=London, C=GB Issuer: C=GB, ST=London, L=London, CN=ca2.example.com Client Side kafka.oem.truststore.jks 1 entry Alias name: ca2root Owner: C=GB, ST=London, L=London, CN=ca2.example.com Issuer: C=GB, ST=London, L=London, CN=ca2.example.com kafka.oem.keystore.jks Alias name: oemkafka.example.com Certificate chain length: 2 Certificate[1]: Owner: CN=kafka.example.com, OU=OEM, O=Client2, L=Boston, ST=Boston, C=US Issuer: C=GB, ST=London, L=London, CN=ca2.example.com Alias name: ca2root Owner: C=GB, ST=London, L=London, CN=ca2.example.com Issuer: C=GB, ST=London, L=London, CN=ca2.example.com Thanks, -- Gopal
