Yes. The truststore has the CA. The keystore has the CA, PRIVATE KEY used to create the CSR and the SERVER CERT.
Sent from my iPhone > On Aug 22, 2019, at 6:44 AM, Pere Urbón Bayes <pere.ur...@gmail.com> wrote: > > you should verify a proper chain of validation. is your private ca cert in > your trust store? > >> On Thu, 22 Aug 2019, 14:40 Antony A <antonyaugus...@gmail.com> wrote: >> >> Hi, >> >> I was able to get the broker running if I used a CA created as shown in >> the example below. https://kafka.apache.org/documentation/#security_ssl >> >> The issue I am facing is when I used my internal CA. Not sure what I am >> missing when I am creating the certificate. >> >> Thanks. >> >> Sent from my iPhone >> >>> On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes <pere.ur...@gmail.com> >> wrote: >>> >>> Hi, >>> the error looks like a missing configuration value. A good source of >>> examples how to set up security can be found at >>> https://github.com/purbon/kafka-security-playbook or >>> https://docs.confluent.io/current/kafka/authentication_ssl.html. >>> >>> i would verify them and see if you're using the same configuration and >>> properly setup certificate stores. >>> >>> I hope it helps, >>> >>> -- Pere >>> >>>> On Thu, 22 Aug 2019, 05:49 Antony A <antonyaugus...@gmail.com> wrote: >>>> >>>> Hi, >>>> >>>> I have followed the steps to secure the brokers using SSL. I have signed >>>> the server certificate using internal CA. I have the keystore with >> server >>>> certificate, private key and the CA. Also the truststore has only the >> CA. >>>> >>>> Unfortunately I am unable to start the broker with the following server >>>> properties >>>> >>>> isteners=SSL://:9092 >>>> security.inter.broker.protocol=SSL >>>> ssl.client.auth=required >>>> >>>> ssl.truststore.location=/tmp/kafka.server.truststore.jks >>>> ssl.truststore.password=password >>>> ssl.keystore.location=/tmp/kafka.server.keystore.jks >>>> ssl.keystore.password=password >>>> ssl.key.password=password >>>> >>>> # ACLs >>>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer >>>> super.users=User:kafkabroker >>>> >>>> >>>> Here is the error in the logs >>>> >>>> org.apache.kafka.common.KafkaException: >>>> org.apache.kafka.common.config.ConfigException: Invalid value >>>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem for >>>> configuration A client SSLEngine created with the provided settings >> can't >>>> connect to a server SSLEngine created with those settings. >>>> >>>> Any pointers on what to do? >>>> >>>> Thanks, >>>> Antony >>>> >>>> PS: Kafka Version 2.3 >>>> >>