Hi, I'd like to enable SSL for a broker. I'd like to get the cert using LetsEncrypt, which generates a private key and certificate chain in PEM format.
KIP-651, which was implemented and released in Kafka 2.7.0, added support for PEM files for TLS configuration, which is great. But I can't seem to figure out how to actually use it. I have this in my server.properties: ssl.keystore.type=PEM > ssl.keystore.key=/etc/letsencrypt/live/domain.redacted/privkey.pem > > ssl.keystore.certificate.chain=/etc/letsencrypt/live/domain.redacted/fullchain.pem > But my server fails to launch with this error: ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to > shutdown (kafka.server.KafkaServer) > org.apache.kafka.common.errors.InvalidConfigurationException: Invalid PEM > keystore configs > Caused by: org.apache.kafka.common.errors.InvalidConfigurationException: > No matching PRIVATE KEY entries in PEM file > I believe this is because it's trying to parse my 'ssl.keystore.key' value as a literal PEM, rather than taking it as a file path which *holds* a PEM. I have tried specifying the private key file's location with ssl.keystore.location - but then Kafka appears to be expecting a keystore, and complains that I haven't provided a password for the key: ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to > shutdown (kafka.server.KafkaServer) > org.apache.kafka.common.errors.InvalidConfigurationException: SSL PEM key > store is specified, but key password is not specified. > But the LetsEncrypt private key doesn't *have* a password. What's going on here? How can I specify PEM files for SSL? Here's the KIP which kind of sketches the design: https://cwiki.apache.org/confluence/display/KAFKA/KIP-651+-+Support+PEM+format+for+SSL+certificates+and+private+key
