Hi Kafka users, Recently I've been following https://kafka.apache.org/documentation/#security_ssl to configure SSL connections between Kafka and Filebeat (using Sarama library).
Basically the doc works perfectly for what is tested against - SSL between Kafka and Kafka-console-producer/consumer. However, due to the implementation difference, it doesn't work with golang library. There are two points in the document should be fixed, to generate usable certificates: 1. As reported in KAFKA-3647 <https://issues.apache.org/jira/browse/KAFKA-3647>, keytool by default generates DSA kepair, and go tls doesn't support the cipher suite. There were a PR <https://github.com/apache/kafka/pull/1416> to update document to generate RSA key. However, the genkey command appears twice in the document, and the first one is still without RSA flag. 2. In the document, SAN is set when generating csr. However, when it uses openssl to sign the csr, the SAN field is discarded (a discussion here explains why <http://openssl.6102.n7.nabble.com/subjectAltName-removed-from-CSR-when-signing-td26928.html>). So actually, if you follow the documents, the SAN is not set in the keystore! This is fine because kafka-console-producer/consumer doesn't do the strict check. But when client is verifying CA/SAN, the SSL connection will fail. The correct place for adding SAN should be when cert is signed. I wish the document can be updated so that the users won't have the pain in the future. Best Regards, Liu
