________________________________
From: Awadhesh Gupta <awadhesh.in...@gmail.com>
Sent: Tuesday, October 3, 2017 1:44 PM
To: users@kafka.apache.org; ja...@scholz.cz
Subject: Re: SSL setup in Kafka 2.10.0.10.2.1 for keystore and truststore files
Hi,
I validated the client chain in server log after enabling the SSL log and
it was showing entries of both the certificate in chain.
I imported server csr (ca-cert file generated from command penssl req -new
-x509 -keyout ca-key -out ca-cert -days $VALIDITY) to Client trust store
and client csr to Server trust store and then found no error in
Server/Client SSL communication. I could see the publisher can produce the
messages and consumer can consume the messages without any error.
I am not sure if keytool command generated self signed certificates needs
to be imported to both client and server application everytime?
Is this also valid for Verisign or other standard CA generated certificate?
Regarding host name validation, does FQDN with hostname always present in
CN (common name) of the certificate? What if I want to use some free form
text in CSR for CN field to make it for multiple host?
MG>DigiCert certificate supports multiple subDomains with wildcard for CN
MG>https://www.digicert.com/faq-general.htm#wildcard
MG>remember its your CA Provider that utimately determines which certificate
passes validation or not
<https://www.digicert.com/faq-general.htm#wildcard>
SSL Digital Certificate Security :: DigiCert General
FAQ<https://www.digicert.com/faq-general.htm#wildcard>
www.digicert.com
Digital SSL Certificate Questions? DigiCert has the answers!
Thanks
Awadhesh
On Fri, Sep 29, 2017 at 5:59 PM, Jakub Scholz <ja...@scholz.cz> wrote:
> This normally means that the truststore in your producer doesn't contain a)
> the public key of your broker or b) the public keys of the CA which signed
> the broker key. With this error it didn't even get to the verification of
> the client certificate yet. Looking at the blog post it looks like there is
> something wrong with your kafka.client.truststore.jks. What you can try is
> to run these two commands and compare the output - whether they talk about
> the same certificates. On on the host where you run the client:
> keytool -list -v -keystore kafka.client.truststore.jks
> And this one on the broker:
> keytool -list -v -keystore kafka.server.keystore.jks
>
> You can also compare the certificates in the SSL debug log. Section
> starting with "adding as trusted cert:" lists what is in your client
> truststore. Section called "*** Certificate chain" shows the certificates
> which are used by the broker.
>
> When using SSL between different hosts you normally should not need
> anything special, since the hostname validation
> (ssl.endpoint.identification.algorithm is AFAIK disabled by default). If
> you enable the hostname verification you will need that the hostname (CN or
> alternative DNS names from the broker key) needs to match the hostname
> which you use to connect to. But this is not your case - the error would be
> different.
>
> Jakub
>
> On Fri, Sep 29, 2017 at 1:05 PM, Awadhesh Gupta <awadhesh.in...@gmail.com>
> wrote:
>
> > Thanks M Manna.
> >
> > I followed the steps to recreate the keystore & truststore for SSL setup
> on
> > both Client&Server machine and it is working fine if I run the client
> and
> > broker on same Linux host.
> >
> > Problem starts when I publish the messages from Kafka Client deployed on
> > different Linux machine.
> >
> > I enabled SSL log in kafka-run-class.sh to see the handshake traces.
> >
> > I am getting following error in Producer log for Kafka broker
> > certificates - Does client application should have access of Server
> > certificates as well?
> > Exception traces:
> >
> > kafka-producer-network-thread | console-producer, fatal error: 46:
> General
> > SSLEngine problem
> > Caused by: sun.security.validator.ValidatorException: PKIX path building
> > failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable
> > to find valid certification path to requested target
> >
> > kafka-producer-network-thread | console-producer, SEND TLSv1.2, Alert:
> > fatal, description= certificate_unknown
> >
> > Want to understand if we need to consider any specific configuration for
> > Publisher if it it is sending messages to Kafka broker deployed on
> another
> > host. Please note that I had already created client certificate with
> steps
> > as mentioned in Confluent 101
> > <https://www.confluent.io/blog/apache-kafka-security-
> > authorization-authentication-encryption/>
> > page.
> >
> > I have also imported signed client certificates to JDK provided
> certificate
> > file ($JAVA_HOME/jre\lib/security/cacerts) but no luck.
> >
> > Thanks
> > Awadhesh
> >
> > On Thu, Sep 28, 2017 at 2:02 PM, M. Manna <manme...@gmail.com> wrote:
> >
> > > Hi Awadhesh,
> > >
> > > This seems like your certificate import order (intermediate - root) is
> > > jumbled up. Could you kindly follow the instructions on confluent.io
> > where
> > > Ismael Juma has provided a nice set of steps to follow for SSL setup.
> > >
> > > https://www.confluent.io/blog/apache-kafka-security-
> > > authorization-authentication-encryption/
> > >
> > > Kindest Regards,
> > >
> > > On 28 September 2017 at 09:10, Awadhesh Gupta <
> awadhesh.in...@gmail.com>
> > > wrote:
> > >
> > > > Hello,
> > > >
> > > > I am trying to setup Kafka SSL using certificates on my windows
> machine
> > > > using reference of security_overview section of Kafka documents. I
> have
> > > > created server.keystore.jks, client.keystore.jks and respective trust
> > > store
> > > > file and signed it using keytool command. I followed complete steps
> as
> > > > mentioned in "Encryption and Authentication using SSL" section.
> > > >
> > > > I also configured these files is server.properties file and started
> > both
> > > > zookeeper and broker.
> > > >
> > > > Here I configured broker listeners as
> > > >
> > > > listeners=SSL://0.0.0.0:9093
> > > >
> > > >
> > > > When I test the setup of truststore and keystore using below command
> > > >
> > > > opens s_client -debug -connect localhost:9093 -tls1
> > > >
> > > >
> > > > I am getting correct subject and issuer in response but at the same
> > time
> > > I
> > > > am getting below exception in kafka-broker console
> > > >
> > > > javax.net.ssl.SSLHandshakeException: null cert chain
> > > > at sun.security.ssl.Handshaker.checkthrown(Handshaker.java:
> > 1478)
> > > >
> > > > Further, all the message post using Kafka publisher with clients
> > > > certificate ( created with above steps) on port 9093 is rejected by
> > > broker.
> > > >
> > > > Want to understand if some steps are missing to create certificate
> > chain.
> > > >
> > > >
> > > > Thanks in advance
> > > > Awadhesh
> > > >
> > >
> >
>
