On 11/11/23 2:30, Jesus Cea wrote:
I am trying to use "ssl.keystore.certificate.chain" and
"ssl.keystore.key" in my brokers' configuration in order to be able to
use dynamic recompilation for short TLS certificates expiration. No luck
so far.
I have found my mistake. I was providing the private key as PKCS#1 and
it must be PKCS#8. The smoking gun is this:
ssl.keystore.key=-----BEGIN RSA PRIVATE KEY----- \
***** \
-----END RSA PRIVATE KEY-----
Instead of "BEGIN RSA PRIVATE KEY", it should be "BEGIN PRIVATE KEY" (no
"RSA" there). There are resources online explaining how to convert
private keys from PKCS#1 to PKCS#8.
Good so far.
Then I tried to update the broker certificate using "kafka-configs". It
worked fine. Cool.
Checking the content of "__cluster_metadata-0" topic, describing the
quorum state (this is a kraft cluster) I see the new certificate in
plaintext on it. So it is available unprotected to all controllers and
brokers in the cluster. That is not nice.
I have set "password.encoder.secret=[LONG_AND_RANDOM]" in the broker,
but it seems not to be used at all. What am I missing?
An obvious possibility is to encrypt the private key with a long random
key only known by the appropriate broker, but I am using OpenJDK and the
implemented algorithms are old and insecure, like DES and SHA1.
Some details about this:
https://stackoverflow.com/a/65887228/322220
https://bugs.openjdk.org/browse/JDK-8231581
What am I missing about the usage of "password.encoder.secret" to
encrypt the dynamic configuration of a broker in the quorum metadata?.
Thanks.
--
Jesús Cea Avión _/_/ _/_/_/ _/_/_/
j...@jcea.es - https://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
Twitter: @jcea _/_/ _/_/ _/_/_/_/_/
jabber / xmpp:j...@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
