Is ExtendedKeyUsages an issue for Kafka? #7: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth ]
The certificate itself has the CA in the chain. On Thu, Aug 22, 2019 at 6:51 AM Pere Urbón Bayes <pere.ur...@gmail.com> wrote: > can you share your certificate content somehow? i should ask, is it > properly signed with the ca? can you share as well the current error. > > -- Pere > > On Thu, 22 Aug 2019, 14:47 Antony A <antonyaugus...@gmail.com> wrote: > > > Yes. The truststore has the CA. The keystore has the CA, PRIVATE KEY used > > to create the CSR and the SERVER CERT. > > > > Sent from my iPhone > > > > > On Aug 22, 2019, at 6:44 AM, Pere Urbón Bayes <pere.ur...@gmail.com> > > wrote: > > > > > > you should verify a proper chain of validation. is your private ca cert > > in > > > your trust store? > > > > > >> On Thu, 22 Aug 2019, 14:40 Antony A <antonyaugus...@gmail.com> wrote: > > >> > > >> Hi, > > >> > > >> I was able to get the broker running if I used a CA created as shown > in > > >> the example below. > https://kafka.apache.org/documentation/#security_ssl > > >> > > >> The issue I am facing is when I used my internal CA. Not sure what I > am > > >> missing when I am creating the certificate. > > >> > > >> Thanks. > > >> > > >> Sent from my iPhone > > >> > > >>> On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes <pere.ur...@gmail.com > > > > >> wrote: > > >>> > > >>> Hi, > > >>> the error looks like a missing configuration value. A good source of > > >>> examples how to set up security can be found at > > >>> https://github.com/purbon/kafka-security-playbook or > > >>> https://docs.confluent.io/current/kafka/authentication_ssl.html. > > >>> > > >>> i would verify them and see if you're using the same configuration > and > > >>> properly setup certificate stores. > > >>> > > >>> I hope it helps, > > >>> > > >>> -- Pere > > >>> > > >>>> On Thu, 22 Aug 2019, 05:49 Antony A <antonyaugus...@gmail.com> > wrote: > > >>>> > > >>>> Hi, > > >>>> > > >>>> I have followed the steps to secure the brokers using SSL. I have > > signed > > >>>> the server certificate using internal CA. I have the keystore with > > >> server > > >>>> certificate, private key and the CA. Also the truststore has only > the > > >> CA. > > >>>> > > >>>> Unfortunately I am unable to start the broker with the following > > server > > >>>> properties > > >>>> > > >>>> isteners=SSL://:9092 > > >>>> security.inter.broker.protocol=SSL > > >>>> ssl.client.auth=required > > >>>> > > >>>> ssl.truststore.location=/tmp/kafka.server.truststore.jks > > >>>> ssl.truststore.password=password > > >>>> ssl.keystore.location=/tmp/kafka.server.keystore.jks > > >>>> ssl.keystore.password=password > > >>>> ssl.key.password=password > > >>>> > > >>>> # ACLs > > >>>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer > > >>>> super.users=User:kafkabroker > > >>>> > > >>>> > > >>>> Here is the error in the logs > > >>>> > > >>>> org.apache.kafka.common.KafkaException: > > >>>> org.apache.kafka.common.config.ConfigException: Invalid value > > >>>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem for > > >>>> configuration A client SSLEngine created with the provided settings > > >> can't > > >>>> connect to a server SSLEngine created with those settings. > > >>>> > > >>>> Any pointers on what to do? > > >>>> > > >>>> Thanks, > > >>>> Antony > > >>>> > > >>>> PS: Kafka Version 2.3 > > >>>> > > >> > > >
