[
https://issues.apache.org/jira/browse/KAFKA-14237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17843869#comment-17843869
]
Gaurav Narula commented on KAFKA-14237:
---------------------------------------
Hi [~soxcks]
I'm unable to reproduce this issue on 3.7. Here's the self-signed cert chain I
used for checking locally:
{code:java}
-----BEGIN CERTIFICATE-----
MIID2DCCAsCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwZTELMAkGA1UEBhMCVVMx
DjAMBgNVBAgMBVN0YXRlMREwDwYDVQQHDAhMb2NhdGlvbjEPMA0GA1UECgwGQXBh
Y2hlMQ4wDAYDVQQLDAVLYWZrYTESMBAGA1UEAwwJVGVzdCBSb290MB4XDTI0MDUw
NjIwMjEyM1oXDTM0MDUwNDIwMjEyM1owVjEWMBQGA1UEAwwNVGVzdCBCcm9rZXIg
MTEOMAwGA1UECAwFU3RhdGUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKDAZBcGFjaGUx
DjAMBgNVBAsMBUthZmthMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
2IfbD26ChT2+/hhPijvk1OIzglDgj+YKZ7Uj01cR0nOg7STIcmIL1D5BuUljtrEq
xPqgXDOZIXn1526OfRK+u+1+Adw9mtclM1pnZkgAH2EkgAND/L4NLq07NfC3jOBe
vF6UiP1Yg6KoLJAit96y5HOrlXm0hLd6MRDEgHnDtnzDPhMtV03a+JXFAbhfRENq
nu/a6hkbodHMh697eSHqifahCpPqq6WraLk43u5P8jzdq7sm8GIjAKaGlkdbCib5
gW6W8ChHQ8fNchKKH1WuAazQeO6X2CGvt0B0JhUX5UsP83Tfqojfgi3MSggOAIDQ
Ll7C2eK0XMG1e+qagI65SwIDAQABo4GgMIGdMAkGA1UdEwQCMAAwCwYDVR0PBAQD
AgH2MCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwgwHQYD
VR0OBBYEFPAi9B9Dj5WmLBfnu8yEbH7KLW01MBoGA1UdEQQTMBGHBH8AAAGCCWxv
Y2FsaG9zdDAfBgNVHSMEGDAWgBTrXaBrjpP8LHcbfhOcrWvo4+otxjANBgkqhkiG
9w0BAQsFAAOCAQEAlPyEgC4egJIajAD2PIeeyXS/eyv43kkNTqsJL9NBepG2njM+
yK1GV1jWwFfoe7IYMtcOme+1tuoNwXUl7gM2l8KRVSue4QLkDo604JHPmvnfqDoh
MxOhC2dw96Kh69NgnlR3Ajp/Dg/kPDG2FOL3lowISVhNzTQDr773f7n80CxbgRmq
IrlQ/S/j7tF5K1BB8WOinZZUhiUO/TuCmUROK8NKCAIAI5F7c6AbrlbASGFHsRLU
Bgrdq9x4X0LVt8GzgwOPk2lpYvC3oggUgig0DqDraJRsFJ0sbxGEZhoftgNzb1Bg
jDLHahebah4Cd1csKeI/v8a/r5d4LJ/JrYTv5g==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDvTCCAqWgAwIBAgIUAzMUkUfTFIln8o4Qi1wHNcixmEcwDQYJKoZIhvcNAQEL
BQAwZTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMREwDwYDVQQHDAhMb2Nh
dGlvbjEPMA0GA1UECgwGQXBhY2hlMQ4wDAYDVQQLDAVLYWZrYTESMBAGA1UEAwwJ
VGVzdCBSb290MB4XDTI0MDUwNjIwMjEyM1oXDTM0MDUwNDIwMjEyM1owZTELMAkG
A1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMREwDwYDVQQHDAhMb2NhdGlvbjEPMA0G
A1UECgwGQXBhY2hlMQ4wDAYDVQQLDAVLYWZrYTESMBAGA1UEAwwJVGVzdCBSb290
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzuz4dYs7/CqkhHVXO8Zz
+1/avBmgXVHgrVMV0njqqtGXH5fHaKQgrmO+dKHjy/brcQbZ+vbctq3F37OdpYwk
pIepKYqEdT9yaR8Eb1m3iWnk3cwwz+QvVwYMHMncOfoMooDvb5jwb1bpsMovsdwe
NvvY3LtoUF4POIGCH79KmwOSJDDpnixVeZHIYHAyhxAE0LM4xEAinmuvp6t1pgtZ
1urid/uZvk/JbWnp+WB1dr7jVGih6dqbjDBfyoI+3APgxiVMySZYTL3kPbE8aJYD
tOXDOO8+0+g+7sGSOPrTF5LsGyE/CDd4lbx4T5mQpavm2iRmuGckXLtBRGJ3xODN
fwIDAQABo2UwYzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB9jAnBgNVHSUEIDAe
BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMIMB0GA1UdDgQWBBTrXaBrjpP8
LHcbfhOcrWvo4+otxjANBgkqhkiG9w0BAQsFAAOCAQEATDJ9+6qQat6V3Bbm0kWk
L+xy2ETefq9ctT4smXLatkUmtiMs/+ZM762iT3QRGC2kKgK2GITucwiemsUR3NkY
V+Y9iqFIkZkdhCfBQB6SAcXhYV5ucBTga0jGE0awEedLEQ6ow/9iUKCfXvH82dWK
t38GFHjrqv6gXrGoJKNYUDYVukZnyLWkwd2LD92AXNJPadaWswVJhve/aWkPVSXo
f2E/wMG/euP3ulDyzLBE4jrx01rn+nxVVN2zm61mcrTovSu+mft2EB9E9Qs4BVDk
vas7tbpsS1mijEoCaArtI8M/IPHRLPE2puM89/fn/jnopUNMZyB6MnaeXsTR/vlm
6w==
-----END CERTIFICATE-----
{code}
The private key:
{code:java}
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYh9sPboKFPb7+
GE+KO+TU4jOCUOCP5gpntSPTVxHSc6DtJMhyYgvUPkG5SWO2sSrE+qBcM5khefXn
bo59Er677X4B3D2a1yUzWmdmSAAfYSSAA0P8vg0urTs18LeM4F68XpSI/ViDoqgs
kCK33rLkc6uVebSEt3oxEMSAecO2fMM+Ey1XTdr4lcUBuF9EQ2qe79rqGRuh0cyH
r3t5IeqJ9qEKk+qrpatouTje7k/yPN2ruybwYiMApoaWR1sKJvmBbpbwKEdDx81y
EoofVa4BrNB47pfYIa+3QHQmFRflSw/zdN+qiN+CLcxKCA4AgNAuXsLZ4rRcwbV7
6pqAjrlLAgMBAAECggEAFRowZDGd8MRSv8q4vb0WkRS2dmXRbNS7gN3rbuZWa08v
iM0D5/ncM0QZ/afEWwKrK2VNiY7RxqxvJa3lnxTbl88Ob7n6GwQKsRWHbDVqJaS+
/ObUkmYnPLxPP/OEv+sB8JO7IBqorLOGdklZyNegUZlgSIIC8Mg81VlP/UFgrIEQ
VPaVZ/55XCg4jgs6C0uf6NqWrw+BrWziECpV596j+qRHlJErk1DOxuBDSzoZ1Iek
P/5ap3ZhMe7cjrz31HrthdtTxA1rcaW9B4w9V6CZuosgDRcc/b4aqtf6E6PmBtAD
VFGEF94bxwHNZ83b11/kCqreGfeu5Jj99enZ+Ou5CQKBgQDumpEpUWiKk3joUL2l
76Fg3ZZtFdHBqRZpHpnHybt0Q9bRVN/hT+MrDnOuw5rXR9QNbaFCf9KArz9Q/oB/
GZKlSX7GzeeCgHvVpssnUd0imhMckRuvGUekIHnnHEbusmbxyNmdoomOF92+mqus
cpQXavvPGVV8p3WTnJDt0kvcnwKBgQDoUU3lIx6ySd/KH34beBQFfMpG2BQtkGrs
40brRRUaUNsQFjBxjPbiUwPrXV1J/FEiWAy4PLwElcegJTP6YjhNSwWDH0eQA1bs
Ub3AMpk8mU6lgfhsDtm1S7ek0mnuQCgM1oWY89QLWSy5pmmAfOac2By9ILcwPeZD
WB+FXrY31QKBgQDbjT6lVlNrr+dBXYokdit4hm00Uy9/k6cbcxztyaLDiOjSFdcr
6+aMZ+/qj/KaxW1KLeaE2jlIT/li/cwfJ9jYXphZNn4ghzlrjt7Af4OLo1qSnrNq
m0hgrcF993cNjPtM4BPeCQGpziwshwYQ2B2MrtSl7BnNagm2mgqBy1Ai4QKBgElM
ze0MRbUvReL6SMnV+0s38oKjzsoJlRMlKs00wNHKzTOoLKTHO2Zxlvz+Ol8Ls3XI
nkrLLu+rao8G7f2EXAtXLmgOyH+R7i0mJV6tGFhcbsod1goSLXLcbxccJLw9leVn
EkQOOstR2aDB9uvJfOHj9j1eQy5/eVWqSlfEaG35AoGAZtbhiDkVAHk1YBPnvkHd
rX+eQw5rNhqFiWrRJu+9RYjHGLieRL4bIZNpw8S+2cYv3MsPmQ7tWozkxJSR1x84
0OIMpGfClo9v4499TwrNtqrhSBXYdY6EsUBrbYeu54USUEQmclfQuuWIRfdbVfyn
6n6txW70n2EQZC3/I0ECWTc=
-----END PRIVATE KEY-----
{code}
The Root CA:
{code:java}
-----BEGIN CERTIFICATE-----
MIIDvTCCAqWgAwIBAgIUAzMUkUfTFIln8o4Qi1wHNcixmEcwDQYJKoZIhvcNAQEL
BQAwZTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMREwDwYDVQQHDAhMb2Nh
dGlvbjEPMA0GA1UECgwGQXBhY2hlMQ4wDAYDVQQLDAVLYWZrYTESMBAGA1UEAwwJ
VGVzdCBSb290MB4XDTI0MDUwNjIwMjEyM1oXDTM0MDUwNDIwMjEyM1owZTELMAkG
A1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMREwDwYDVQQHDAhMb2NhdGlvbjEPMA0G
A1UECgwGQXBhY2hlMQ4wDAYDVQQLDAVLYWZrYTESMBAGA1UEAwwJVGVzdCBSb290
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzuz4dYs7/CqkhHVXO8Zz
+1/avBmgXVHgrVMV0njqqtGXH5fHaKQgrmO+dKHjy/brcQbZ+vbctq3F37OdpYwk
pIepKYqEdT9yaR8Eb1m3iWnk3cwwz+QvVwYMHMncOfoMooDvb5jwb1bpsMovsdwe
NvvY3LtoUF4POIGCH79KmwOSJDDpnixVeZHIYHAyhxAE0LM4xEAinmuvp6t1pgtZ
1urid/uZvk/JbWnp+WB1dr7jVGih6dqbjDBfyoI+3APgxiVMySZYTL3kPbE8aJYD
tOXDOO8+0+g+7sGSOPrTF5LsGyE/CDd4lbx4T5mQpavm2iRmuGckXLtBRGJ3xODN
fwIDAQABo2UwYzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB9jAnBgNVHSUEIDAe
BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMIMB0GA1UdDgQWBBTrXaBrjpP8
LHcbfhOcrWvo4+otxjANBgkqhkiG9w0BAQsFAAOCAQEATDJ9+6qQat6V3Bbm0kWk
L+xy2ETefq9ctT4smXLatkUmtiMs/+ZM762iT3QRGC2kKgK2GITucwiemsUR3NkY
V+Y9iqFIkZkdhCfBQB6SAcXhYV5ucBTga0jGE0awEedLEQ6ow/9iUKCfXvH82dWK
t38GFHjrqv6gXrGoJKNYUDYVukZnyLWkwd2LD92AXNJPadaWswVJhve/aWkPVSXo
f2E/wMG/euP3ulDyzLBE4jrx01rn+nxVVN2zm61mcrTovSu+mft2EB9E9Qs4BVDk
vas7tbpsS1mijEoCaArtI8M/IPHRLPE2puM89/fn/jnopUNMZyB6MnaeXsTR/vlm
6w==
-----END CERTIFICATE-----
{code}
I can observe both the leaf and intermediate certificates being presented:
{code:java}
openssl s_client -connect 127.0.0.1:62565
Connecting to 127.0.0.1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C=US, ST=State, L=Location, O=Apache, OU=Kafka, CN=Test Root
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 C=US, ST=State, L=Location, O=Apache, OU=Kafka, CN=Test Root
verify return:1
depth=0 CN=Test Broker 1, ST=State, C=US, O=Apache, OU=Kafka
verify return:1
---
Certificate chain
0 s:CN=Test Broker 1, ST=State, C=US, O=Apache, OU=Kafka
i:C=US, ST=State, L=Location, O=Apache, OU=Kafka, CN=Test Root
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 6 20:21:23 2024 GMT; NotAfter: May 4 20:21:23 2034 GMT
1 s:C=US, ST=State, L=Location, O=Apache, OU=Kafka, CN=Test Root
i:C=US, ST=State, L=Location, O=Apache, OU=Kafka, CN=Test Root
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 6 20:21:23 2024 GMT; NotAfter: May 4 20:21:23 2034 GMT
---
{code}
Can you confirm if you're still able to reproduce this on your end?
> Kafka TLS Doesn't Present Intermediary Certificates when using PEM
> ------------------------------------------------------------------
>
> Key: KAFKA-14237
> URL: https://issues.apache.org/jira/browse/KAFKA-14237
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 3.2.1
> Environment: Deployed using the Bitnami Helm
> Chart(https://github.com/bitnami/charts/tree/master/bitnami/kafka)
> The Bitnami Helm Chart uses Docker Image:
> https://github.com/bitnami/containers/tree/main/bitnami/kafka
> An issue was already opened with Bitnami and they told us to send this
> upstream: https://github.com/bitnami/containers/issues/6654
> Reporter: Ryan R
> Priority: Blocker
>
> When using PEM TLS certificates, Kafka does not present the entire
> certificate chain.
>
> Our {{/opt/bitnami/kafka/config/server.properties}} file looks like this:
> {code:java}
> ssl.keystore.type=PEM
> ssl.truststore.type=PEM
> ssl.keystore.key=-----BEGIN PRIVATE KEY----- \
> <redacted>
> -----END PRIVATE KEY-----
> ssl.keystore.certificate.chain=-----BEGIN CERTIFICATE----- \
> <redacted>
> -----END CERTIFICATE----- \
> -----BEGIN CERTIFICATE----- \
> MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw \
> TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh \
> cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw \
> WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg \
> RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK \
> AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP \
> R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx \
> sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm \
> NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg \
> Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG \
> /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC \
> AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB \
> Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA \
> FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw \
> AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw \
> Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB \
> gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W \
> PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl \
> ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz \
> CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm \
> lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 \
> avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 \
> yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O \
> yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids \
> hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ \
> HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv \
> MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX \
> nLRbwHOoq7hHwg== \
> -----END CERTIFICATE----- \
> ssl.truststore.certificates=-----BEGIN CERTIFICATE----- \
> MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw \
> TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh \
> cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 \
> WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu \
> ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY \
> MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc \
> h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ \
> 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U \
> A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW \
> T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH \
> B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC \
> B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv \
> KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn \
> OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn \
> jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw \
> qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI \
> rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV \
> HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq \
> hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL \
> ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ \
> 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK \
> NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 \
> ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur \
> TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC \
> jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc \
> oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq \
> 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA \
> mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d \
> emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= \
> -----END CERTIFICATE-----{code}
> The {{ssl.keystore.certificate.chain}} has (in order) our endpoint
> certificate followed by the Let's Encrypt R3 Intermediate certificate
> underneath it. The {{ssl.truststore.certificates}} entry is the Let's Encrypt
> ISRG Root X1 CA certificate.
> We can test the configuration with:
> {code:java}
> openssl s_client -connect myhost.mydomain.com -port 9094{code}
> Which returns the below output. The output says that only one certificate is
> being presented, and it is the Intermediate certificate and not the
> endpoint/leaf certificate, which is why the signature is failing.
> {code:java}
> CONNECTED(00000003)
> depth=1 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=0 C = US, O = Let's Encrypt, CN = R3
> verify return:1
> 140176629757248:error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last
> octet invalid:../crypto/rsa/rsa_pss.c:88:
> 140176629757248:error:1417B07B:SSL routines:tls_process_cert_verify:bad
> signature:../ssl/statem/statem_lib.c:504:
> ---
> Certificate chain
> 0 s:C = US, O = Let's Encrypt, CN = R3
> i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
> TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
> cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
> WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
> RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
> AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
> R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
> sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
> NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
> Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
> /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
> AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
> Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
> FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
> AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
> Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
> gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
> PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
> ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
> CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
> lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
> avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
> yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
> yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
> hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
> HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
> MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
> nLRbwHOoq7hHwg==
> -----END CERTIFICATE-----
> subject=C = US, O = Let's Encrypt, CN = R3issuer=C = US, O = Internet
> Security Research Group, CN = ISRG Root X1---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 1838 bytes and written 329 bytes
> Verification: OK
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> ---{code}
> If I remove the Intermediary certificate from the
> {{ssl.keystore.certificate.chain}} entry, Kafka now sends me the endpoint
> certificate but without the Intermediary certificate. This means the
> certificate will not be trusted unless the intermediary certificate is
> manually trusted. The output of {{openssl s_client -connect
> myhost.mydomain.com -port 9094}} is now:{{{}{}}}
> {code:java}
> CONNECTED(00000003)
> depth=0 CN = myhost.mydomain.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = myhost.mydomain.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:CN = myhost.mydomain.com
> i:C = US, O = Let's Encrypt, CN = R3
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> <redacted>
> -----END CERTIFICATE-----
> subject=CN = myhost.mydomain.comissuer=C = US, O = Let's Encrypt, CN = R3---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2011 bytes and written 402 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 21 (unable to verify the first certificate)
> ---
> ---
> Post-Handshake New Session Ticket arrived:
> SSL-Session:
> Protocol : TLSv1.3
> Cipher : TLS_AES_256_GCM_SHA384
> Session-ID: <redacted>
> Session-ID-ctx:
> Resumption PSK: <redacted>
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 86400 (seconds)
> TLS session ticket:
> <redacted> Start Time: 1663274615
> Timeout : 7200 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> Extended master secret: no
> Max Early Data: 0 {code}
> {{}}
> The current workaround is to install the Intermediary certificate in the root
> of trust.
> I have tried reversing the order of the certificates in the
> {{ssl.keystore.certificate.chain}} entry, which makes Kafka throw errors (as
> expected).
> I have also tried adding the Root certificate to the
> {{ssl.keystore.certificate.chain}} (a total of 3 certificates), and this
> results in the Root CA certificate alone being sent in the TLS handshake. It
> seems that Kafka always sends a single certificate, and it is always the last
> one in the {{ssl.keystore.certificate.chain}} chain.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
