Did you make sure both those CA's are imported into Broker's truststore? -Harsha
On Fri, Jul 15, 2016 at 5:12 PM Raghavan, Gopal <gopal.ragha...@here.com> wrote: > Hi, > > Can Kakfa support multiple CA certs on broker. > If yes, can you please point me to an example. > > Producer signed with second CA (CA2) is failing. Client signed with CA1 is > working fine. > > kafka-console-producer --broker-list kafka.example.com:9093 --topic > oem2-kafka --producer.config /etc/kafka/oem_producer_ssl.properties > hello oem2 > are you there > [2016-07-15 23:01:04,643] ERROR Error when sending message to topic > oem2-kafka with key: null, value: 15 bytes with error: Failed to update > metadata after 60000 ms. > (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback) > [2016-07-15 23:02:04,646] ERROR Error when sending message to topic > oem2-kafka with key: null, value: 17 bytes with error: Failed to update > metadata after 60000 ms. > (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback) > > Any suggestions? > > > ---------- > > Server shows two CA names, but only one subject/issuer name. > > openssl s_client -debug -connect localhost:9093 -tls1 > subject=/C=GB/ST=London/L=London/O=Confluent/OU=Broker/CN= > kafka.example.com > issuer=/CN=ca.example.com/L=London/ST=London/C=GB > --- > Acceptable client certificate CA names > /CN=ca.example.com/L=London/ST=London/C=GB > /CN=ca2.example.com/L=London/ST=London/C=GB > > > > Here is my configuration: > > kafka.server.truststore.jks: > 2 entries > CA1: C=GB, ST=London, L=London, CN=ca.example.com > CA2: C=GB, ST=London, L=London, CN=ca2.example.com > > kafka.server.keystore.jks: > 4 entries > Alias name: ca2root > Owner: C=GB, ST=London, L=London, CN=ca2.example.com > Issuer: C=GB, ST=London, L=London, CN=ca2.example.com > Alias name: caroot > Owner: C=GB, ST=London, L=London, CN=ca.example.com > Issuer: C=GB, ST=London, L=London, CN=ca.example.com > Alias name: kafka.example.com > Certificate chain length: 2 > Certificate[1]: > Owner: CN=kafka.example.com, OU=Broker, O=Confluent, L=London, ST=London, > C=GB > Issuer: C=GB, ST=London, L=London, CN=ca.example.com > Alias name: oemkafka.example.com > Certificate chain length: 2 > Certificate[1]: > Owner: CN=kafka.example.com, OU=oemBroker, O=Confluent, L=London, > ST=London, C=GB > Issuer: C=GB, ST=London, L=London, CN=ca2.example.com > > > Client Side > kafka.oem.truststore.jks > 1 entry > Alias name: ca2root > Owner: C=GB, ST=London, L=London, CN=ca2.example.com > Issuer: C=GB, ST=London, L=London, CN=ca2.example.com > > kafka.oem.keystore.jks > Alias name: oemkafka.example.com > Certificate chain length: 2 > Certificate[1]: > Owner: CN=kafka.example.com, OU=OEM, O=Client2, L=Boston, ST=Boston, C=US > Issuer: C=GB, ST=London, L=London, CN=ca2.example.com > Alias name: ca2root > Owner: C=GB, ST=London, L=London, CN=ca2.example.com > Issuer: C=GB, ST=London, L=London, CN=ca2.example.com > > > Thanks, > -- > Gopal > >
