HI, I would add both, end of the day they do the two jobs see for more details, https://github.com/purbon/kafka-security-playbook/blob/master/tls/server.cnf#L25
Missatge de Antony A <antonyaugus...@gmail.com> del dia dj., 22 d’ag. 2019 a les 16:50: > Is ExtendedKeyUsages an issue for Kafka? > > #7: ObjectId: 2.5.29.37 Criticality=false > ExtendedKeyUsages [ > serverAuth > ] > > The certificate itself has the CA in the chain. > > > > On Thu, Aug 22, 2019 at 6:51 AM Pere Urbón Bayes <pere.ur...@gmail.com> > wrote: > >> can you share your certificate content somehow? i should ask, is it >> properly signed with the ca? can you share as well the current error. >> >> -- Pere >> >> On Thu, 22 Aug 2019, 14:47 Antony A <antonyaugus...@gmail.com> wrote: >> >> > Yes. The truststore has the CA. The keystore has the CA, PRIVATE KEY >> used >> > to create the CSR and the SERVER CERT. >> > >> > Sent from my iPhone >> > >> > > On Aug 22, 2019, at 6:44 AM, Pere Urbón Bayes <pere.ur...@gmail.com> >> > wrote: >> > > >> > > you should verify a proper chain of validation. is your private ca >> cert >> > in >> > > your trust store? >> > > >> > >> On Thu, 22 Aug 2019, 14:40 Antony A <antonyaugus...@gmail.com> >> wrote: >> > >> >> > >> Hi, >> > >> >> > >> I was able to get the broker running if I used a CA created as shown >> in >> > >> the example below. >> https://kafka.apache.org/documentation/#security_ssl >> > >> >> > >> The issue I am facing is when I used my internal CA. Not sure what I >> am >> > >> missing when I am creating the certificate. >> > >> >> > >> Thanks. >> > >> >> > >> Sent from my iPhone >> > >> >> > >>> On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes < >> pere.ur...@gmail.com> >> > >> wrote: >> > >>> >> > >>> Hi, >> > >>> the error looks like a missing configuration value. A good source >> of >> > >>> examples how to set up security can be found at >> > >>> https://github.com/purbon/kafka-security-playbook or >> > >>> https://docs.confluent.io/current/kafka/authentication_ssl.html. >> > >>> >> > >>> i would verify them and see if you're using the same configuration >> and >> > >>> properly setup certificate stores. >> > >>> >> > >>> I hope it helps, >> > >>> >> > >>> -- Pere >> > >>> >> > >>>> On Thu, 22 Aug 2019, 05:49 Antony A <antonyaugus...@gmail.com> >> wrote: >> > >>>> >> > >>>> Hi, >> > >>>> >> > >>>> I have followed the steps to secure the brokers using SSL. I have >> > signed >> > >>>> the server certificate using internal CA. I have the keystore with >> > >> server >> > >>>> certificate, private key and the CA. Also the truststore has only >> the >> > >> CA. >> > >>>> >> > >>>> Unfortunately I am unable to start the broker with the following >> > server >> > >>>> properties >> > >>>> >> > >>>> isteners=SSL://:9092 >> > >>>> security.inter.broker.protocol=SSL >> > >>>> ssl.client.auth=required >> > >>>> >> > >>>> ssl.truststore.location=/tmp/kafka.server.truststore.jks >> > >>>> ssl.truststore.password=password >> > >>>> ssl.keystore.location=/tmp/kafka.server.keystore.jks >> > >>>> ssl.keystore.password=password >> > >>>> ssl.key.password=password >> > >>>> >> > >>>> # ACLs >> > >>>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer >> > >>>> super.users=User:kafkabroker >> > >>>> >> > >>>> >> > >>>> Here is the error in the logs >> > >>>> >> > >>>> org.apache.kafka.common.KafkaException: >> > >>>> org.apache.kafka.common.config.ConfigException: Invalid value >> > >>>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem for >> > >>>> configuration A client SSLEngine created with the provided settings >> > >> can't >> > >>>> connect to a server SSLEngine created with those settings. >> > >>>> >> > >>>> Any pointers on what to do? >> > >>>> >> > >>>> Thanks, >> > >>>> Antony >> > >>>> >> > >>>> PS: Kafka Version 2.3 >> > >>>> >> > >> >> > >> > -- Pere Urbon-Bayes Software Architect http://www.purbon.com https://twitter.com/purbon https://www.linkedin.com/in/purbon/
