This normally means that the truststore in your producer doesn't contain a) the public key of your broker or b) the public keys of the CA which signed the broker key. With this error it didn't even get to the verification of the client certificate yet. Looking at the blog post it looks like there is something wrong with your kafka.client.truststore.jks. What you can try is to run these two commands and compare the output - whether they talk about the same certificates. On on the host where you run the client: keytool -list -v -keystore kafka.client.truststore.jks And this one on the broker: keytool -list -v -keystore kafka.server.keystore.jks
You can also compare the certificates in the SSL debug log. Section starting with "adding as trusted cert:" lists what is in your client truststore. Section called "*** Certificate chain" shows the certificates which are used by the broker. When using SSL between different hosts you normally should not need anything special, since the hostname validation (ssl.endpoint.identification.algorithm is AFAIK disabled by default). If you enable the hostname verification you will need that the hostname (CN or alternative DNS names from the broker key) needs to match the hostname which you use to connect to. But this is not your case - the error would be different. Jakub On Fri, Sep 29, 2017 at 1:05 PM, Awadhesh Gupta <awadhesh.in...@gmail.com> wrote: > Thanks M Manna. > > I followed the steps to recreate the keystore & truststore for SSL setup on > both Client&Server machine and it is working fine if I run the client and > broker on same Linux host. > > Problem starts when I publish the messages from Kafka Client deployed on > different Linux machine. > > I enabled SSL log in kafka-run-class.sh to see the handshake traces. > > I am getting following error in Producer log for Kafka broker > certificates - Does client application should have access of Server > certificates as well? > Exception traces: > > kafka-producer-network-thread | console-producer, fatal error: 46: General > SSLEngine problem > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > > kafka-producer-network-thread | console-producer, SEND TLSv1.2, Alert: > fatal, description= certificate_unknown > > Want to understand if we need to consider any specific configuration for > Publisher if it it is sending messages to Kafka broker deployed on another > host. Please note that I had already created client certificate with steps > as mentioned in Confluent 101 > <https://www.confluent.io/blog/apache-kafka-security- > authorization-authentication-encryption/> > page. > > I have also imported signed client certificates to JDK provided certificate > file ($JAVA_HOME/jre\lib/security/cacerts) but no luck. > > Thanks > Awadhesh > > On Thu, Sep 28, 2017 at 2:02 PM, M. Manna <manme...@gmail.com> wrote: > > > Hi Awadhesh, > > > > This seems like your certificate import order (intermediate - root) is > > jumbled up. Could you kindly follow the instructions on confluent.io > where > > Ismael Juma has provided a nice set of steps to follow for SSL setup. > > > > https://www.confluent.io/blog/apache-kafka-security- > > authorization-authentication-encryption/ > > > > Kindest Regards, > > > > On 28 September 2017 at 09:10, Awadhesh Gupta <awadhesh.in...@gmail.com> > > wrote: > > > > > Hello, > > > > > > I am trying to setup Kafka SSL using certificates on my windows machine > > > using reference of security_overview section of Kafka documents. I have > > > created server.keystore.jks, client.keystore.jks and respective trust > > store > > > file and signed it using keytool command. I followed complete steps as > > > mentioned in "Encryption and Authentication using SSL" section. > > > > > > I also configured these files is server.properties file and started > both > > > zookeeper and broker. > > > > > > Here I configured broker listeners as > > > > > > listeners=SSL://0.0.0.0:9093 > > > > > > > > > When I test the setup of truststore and keystore using below command > > > > > > opens s_client -debug -connect localhost:9093 -tls1 > > > > > > > > > I am getting correct subject and issuer in response but at the same > time > > I > > > am getting below exception in kafka-broker console > > > > > > javax.net.ssl.SSLHandshakeException: null cert chain > > > at sun.security.ssl.Handshaker.checkthrown(Handshaker.java: > 1478) > > > > > > Further, all the message post using Kafka publisher with clients > > > certificate ( created with above steps) on port 9093 is rejected by > > broker. > > > > > > Want to understand if some steps are missing to create certificate > chain. > > > > > > > > > Thanks in advance > > > Awadhesh > > > > > >
