Thanks M Manna. I followed the steps to recreate the keystore & truststore for SSL setup on both Client&Server machine and it is working fine if I run the client and broker on same Linux host.
Problem starts when I publish the messages from Kafka Client deployed on different Linux machine. I enabled SSL log in kafka-run-class.sh to see the handshake traces. I am getting following error in Producer log for Kafka broker certificates - Does client application should have access of Server certificates as well? Exception traces: kafka-producer-network-thread | console-producer, fatal error: 46: General SSLEngine problem Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target kafka-producer-network-thread | console-producer, SEND TLSv1.2, Alert: fatal, description= certificate_unknown Want to understand if we need to consider any specific configuration for Publisher if it it is sending messages to Kafka broker deployed on another host. Please note that I had already created client certificate with steps as mentioned in Confluent 101 <https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/> page. I have also imported signed client certificates to JDK provided certificate file ($JAVA_HOME/jre\lib/security/cacerts) but no luck. Thanks Awadhesh On Thu, Sep 28, 2017 at 2:02 PM, M. Manna <manme...@gmail.com> wrote: > Hi Awadhesh, > > This seems like your certificate import order (intermediate - root) is > jumbled up. Could you kindly follow the instructions on confluent.io where > Ismael Juma has provided a nice set of steps to follow for SSL setup. > > https://www.confluent.io/blog/apache-kafka-security- > authorization-authentication-encryption/ > > Kindest Regards, > > On 28 September 2017 at 09:10, Awadhesh Gupta <awadhesh.in...@gmail.com> > wrote: > > > Hello, > > > > I am trying to setup Kafka SSL using certificates on my windows machine > > using reference of security_overview section of Kafka documents. I have > > created server.keystore.jks, client.keystore.jks and respective trust > store > > file and signed it using keytool command. I followed complete steps as > > mentioned in "Encryption and Authentication using SSL" section. > > > > I also configured these files is server.properties file and started both > > zookeeper and broker. > > > > Here I configured broker listeners as > > > > listeners=SSL://0.0.0.0:9093 > > > > > > When I test the setup of truststore and keystore using below command > > > > opens s_client -debug -connect localhost:9093 -tls1 > > > > > > I am getting correct subject and issuer in response but at the same time > I > > am getting below exception in kafka-broker console > > > > javax.net.ssl.SSLHandshakeException: null cert chain > > at sun.security.ssl.Handshaker.checkthrown(Handshaker.java:1478) > > > > Further, all the message post using Kafka publisher with clients > > certificate ( created with above steps) on port 9093 is rejected by > broker. > > > > Want to understand if some steps are missing to create certificate chain. > > > > > > Thanks in advance > > Awadhesh > > >
