Thank you. Using a cert with both server and client auth extensions worked.
Sent from my iPhone > On Aug 22, 2019, at 8:59 AM, Pere Urbón Bayes <pere.ur...@gmail.com> wrote: > > HI, > I would add both, end of the day they do the two jobs see for more details, > https://github.com/purbon/kafka-security-playbook/blob/master/tls/server.cnf#L25 > > Missatge de Antony A <antonyaugus...@gmail.com> del dia dj., 22 d’ag. 2019 a > les 16:50: >> Is ExtendedKeyUsages an issue for Kafka? >> >> #7: ObjectId: 2.5.29.37 Criticality=false >> ExtendedKeyUsages [ >> serverAuth >> ] >> >> The certificate itself has the CA in the chain. >> >> >> >>> On Thu, Aug 22, 2019 at 6:51 AM Pere Urbón Bayes <pere.ur...@gmail.com> >>> wrote: >>> can you share your certificate content somehow? i should ask, is it >>> properly signed with the ca? can you share as well the current error. >>> >>> -- Pere >>> >>> On Thu, 22 Aug 2019, 14:47 Antony A <antonyaugus...@gmail.com> wrote: >>> >>> > Yes. The truststore has the CA. The keystore has the CA, PRIVATE KEY used >>> > to create the CSR and the SERVER CERT. >>> > >>> > Sent from my iPhone >>> > >>> > > On Aug 22, 2019, at 6:44 AM, Pere Urbón Bayes <pere.ur...@gmail.com> >>> > wrote: >>> > > >>> > > you should verify a proper chain of validation. is your private ca cert >>> > in >>> > > your trust store? >>> > > >>> > >> On Thu, 22 Aug 2019, 14:40 Antony A <antonyaugus...@gmail.com> wrote: >>> > >> >>> > >> Hi, >>> > >> >>> > >> I was able to get the broker running if I used a CA created as shown in >>> > >> the example below. https://kafka.apache.org/documentation/#security_ssl >>> > >> >>> > >> The issue I am facing is when I used my internal CA. Not sure what I am >>> > >> missing when I am creating the certificate. >>> > >> >>> > >> Thanks. >>> > >> >>> > >> Sent from my iPhone >>> > >> >>> > >>> On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes <pere.ur...@gmail.com> >>> > >> wrote: >>> > >>> >>> > >>> Hi, >>> > >>> the error looks like a missing configuration value. A good source of >>> > >>> examples how to set up security can be found at >>> > >>> https://github.com/purbon/kafka-security-playbook or >>> > >>> https://docs.confluent.io/current/kafka/authentication_ssl.html. >>> > >>> >>> > >>> i would verify them and see if you're using the same configuration and >>> > >>> properly setup certificate stores. >>> > >>> >>> > >>> I hope it helps, >>> > >>> >>> > >>> -- Pere >>> > >>> >>> > >>>> On Thu, 22 Aug 2019, 05:49 Antony A <antonyaugus...@gmail.com> wrote: >>> > >>>> >>> > >>>> Hi, >>> > >>>> >>> > >>>> I have followed the steps to secure the brokers using SSL. I have >>> > signed >>> > >>>> the server certificate using internal CA. I have the keystore with >>> > >> server >>> > >>>> certificate, private key and the CA. Also the truststore has only the >>> > >> CA. >>> > >>>> >>> > >>>> Unfortunately I am unable to start the broker with the following >>> > server >>> > >>>> properties >>> > >>>> >>> > >>>> isteners=SSL://:9092 >>> > >>>> security.inter.broker.protocol=SSL >>> > >>>> ssl.client.auth=required >>> > >>>> >>> > >>>> ssl.truststore.location=/tmp/kafka.server.truststore.jks >>> > >>>> ssl.truststore.password=password >>> > >>>> ssl.keystore.location=/tmp/kafka.server.keystore.jks >>> > >>>> ssl.keystore.password=password >>> > >>>> ssl.key.password=password >>> > >>>> >>> > >>>> # ACLs >>> > >>>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer >>> > >>>> super.users=User:kafkabroker >>> > >>>> >>> > >>>> >>> > >>>> Here is the error in the logs >>> > >>>> >>> > >>>> org.apache.kafka.common.KafkaException: >>> > >>>> org.apache.kafka.common.config.ConfigException: Invalid value >>> > >>>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem for >>> > >>>> configuration A client SSLEngine created with the provided settings >>> > >> can't >>> > >>>> connect to a server SSLEngine created with those settings. >>> > >>>> >>> > >>>> Any pointers on what to do? >>> > >>>> >>> > >>>> Thanks, >>> > >>>> Antony >>> > >>>> >>> > >>>> PS: Kafka Version 2.3 >>> > >>>> >>> > >> >>> > > > > -- > Pere Urbon-Bayes > Software Architect > http://www.purbon.com > https://twitter.com/purbon > https://www.linkedin.com/in/purbon/