This is the error we are getting
[2021-06-22 10:59:45,049] ERROR [Consumer clientId=consumer-1, groupId=test-consumer-group] Connection to node -1 failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient) [2021-06-22 10:59:45,051] ERROR Authentication failed: terminating consumer process (kafka.tools.ConsoleConsumer$) org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed Caused by: javax.net.ssl.SSLException: Unsupported record version Unknown-211.79 On Thu, Jun 24, 2021, 17:59 Shilin Wu <s...@confluent.io.invalid> wrote: > You need to make sure the following one by one... Or you can post the > message of error here so we can see exact error. > > > > > > > > 1. Client trust store need to trust the server cert's issuer cert > > > (AKA > > > > > the > > > > > > CA cert) > > > > > > 2. The client must have a keystore that can be trusted by > server's > > > > trust > > > > > > store. > > > > > > 3. The server needs to be accessed either via FQDN, or one of the > > SAN > > > > > > address. If you are doing self sign, you can add many DNS alias > and > > > > even > > > > > ip > > > > > > addresses to the server's cert. > > > > > > 4. Make sure the server cert has extended key usage of > serverAuth, > > > > client > > > > > > cert has extended key usage of clientAuth. Actually you can have > > > both - > > > > > if > > > > > > you are generating yourself. > > [image: Confluent] <https://www.confluent.io> > Wu Shilin > Solution Architect > +6581007012 > Follow us: [image: Blog] > < > https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog > >[image: > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] > <https://www.linkedin.com/company/confluent/>[image: Slack] > <https://slackpass.io/confluentcommunity>[image: YouTube] > <https://youtube.com/confluent> > [image: Kafka Summit] <https://www.kafka-summit.org/> > > > On Thu, Jun 24, 2021 at 8:26 PM Anjali Sharma < > sharma.anjali.2...@gmail.com> > wrote: > > > Thanks for this but we are trying to do this on command line but getting > > this bad certificate error > > > > On Thu, Jun 24, 2021, 17:52 Shilin Wu <s...@confluent.io.invalid> wrote: > > > > > you may do openssl s_client -connect kafkahost:port to dump the cert. > > > > > > See if the cert makes sense. > > > > > > To test if your SSL works, you may try use this java program to test if > > you > > > have SSL trust issue - if it connects ok, the cert trust is mostly to > be > > > okay. (remember to change your host name in code, and jks path in > command > > > line options. > > > > > > > > > java -Djavax.net.ssl.trustStore=truststore.jks > > > -Djavax.net.ssl.trustStorePassword=changeme Test > > > > > > import java.net.*; > > > > > > import java.io.*; > > > > > > import javax.net.ssl.*; > > > > > > > > > /* > > > > > > * This example demostrates how to use a SSLSocket as client to > > > > > > * send a HTTP request and get response from an HTTPS server. > > > > > > * It assumes that the client is not behind a firewall > > > > > > */ > > > > > > > > > public class Test { > > > > > > > > > public static void main(String[] args) throws Exception { > > > > > > try { > > > > > > SSLSocketFactory factory = > > > > > > (SSLSocketFactory)SSLSocketFactory.getDefault(); > > > > > > SSLSocket socket = > > > > > > (SSLSocket)factory.createSocket("cp-kafka1", 9093); > > > > > > > > > /* > > > > > > * send http request > > > > > > * > > > > > > * Before any application data is sent or received, the > > > > > > * SSL socket will do SSL handshaking first to set up > > > > > > * the security attributes. > > > > > > * > > > > > > * SSL handshaking can be initiated by either flushing data > > > > > > * down the pipe, or by starting the handshaking by hand. > > > > > > * > > > > > > * Handshaking is started manually in this example because > > > > > > * PrintWriter catches all IOExceptions (including > > > > > > * SSLExceptions), sets an internal error flag, and then > > > > > > * returns without rethrowing the exception. > > > > > > * > > > > > > * Unfortunately, this means any error messages are lost, > > > > > > * which caused lots of confusion for others using this > > > > > > * code. The only way to tell there was an error is to > call > > > > > > * PrintWriter.checkError(). > > > > > > */ > > > > > > socket.startHandshake(); > > > > > > > > > socket.close(); > > > > > > > > > } catch (Exception e) { > > > > > > e.printStackTrace(); > > > > > > } > > > > > > } > > > > > > } > > > > > > [image: Confluent] <https://www.confluent.io> > > > Wu Shilin > > > Solution Architect > > > +6581007012 > > > Follow us: [image: Blog] > > > < > > > > > > https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog > > > >[image: > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] > > > <https://www.linkedin.com/company/confluent/>[image: Slack] > > > <https://slackpass.io/confluentcommunity>[image: YouTube] > > > <https://youtube.com/confluent> > > > [image: Kafka Summit] <https://www.kafka-summit.org/> > > > > > > > > > On Thu, Jun 24, 2021 at 8:17 PM Anjali Sharma < > > > sharma.anjali.2...@gmail.com> > > > wrote: > > > > > > > Had added those configuration but still seeing only junk certificates > > > from > > > > client side ? Any idea how to solve? > > > > > > > > > > > > Thanks > > > > Anjali > > > > > > > > On Thu, Jun 24, 2021, 17:44 Shilin Wu <s...@confluent.io.invalid> > > wrote: > > > > > > > > > ssl.truststore.location=/root/truststore.jks > > > > > > > > > > ssl.truststore.type=JKS > > > > > > > > > > ssl.truststore.password=changeme > > > > > > > > > > ssl.keystore.location=/root/alice.jks > > > > > > > > > > ssl.keystore.type=JKS > > > > > > > > > > ssl.keystore.password=changeme > > > > > > > > > > security.protocol=SSL > > > > > > > > > > bootstrap.server=cp-kafka1:9093 > > > > > > > > > > ssl.endpoint.identification.algorithm=https > > > > > > > > > > This worked for me pretty well. > > > > > > > > > > Of course you need to generate those certs from open ssl. > > > > > > > > > > The trust store only contains the CA cert, the key store contains > the > > > > > keypair for alice (the user here). > > > > > > > > > > > > > > > [image: Confluent] <https://www.confluent.io> > > > > > Wu Shilin > > > > > Solution Architect > > > > > +6581007012 > > > > > Follow us: [image: Blog] > > > > > < > > > > > > > > > > > > > > > https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog > > > > > >[image: > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack] > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube] > > > > > <https://youtube.com/confluent> > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/> > > > > > > > > > > > > > > > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma < > > > > > sharma.anjali.2...@gmail.com> > > > > > wrote: > > > > > > > > > > > Thanks for this info can you please share what all needs to be > > > present > > > > on > > > > > > the client side for mtls as in what all configuration are needed > > that > > > > > side? > > > > > > > > > > > > Thanks > > > > > > > > > > > > On Thu, Jun 24, 2021, 07:51 Shilin Wu <s...@confluent.io.invalid > > > > > > wrote: > > > > > > > > > > > > > A few things to check: > > > > > > > > > > > > > > 1. Client trust store need to trust the server cert's issuer > cert > > > > (AKA > > > > > > the > > > > > > > CA cert) > > > > > > > 2. The client must have a keystore that can be trusted by > > server's > > > > > trust > > > > > > > store. > > > > > > > 3. The server needs to be accessed either via FQDN, or one of > the > > > SAN > > > > > > > address. If you are doing self sign, you can add many DNS alias > > and > > > > > even > > > > > > ip > > > > > > > addresses to the server's cert. > > > > > > > 4. Make sure the server cert has extended key usage of > > serverAuth, > > > > > client > > > > > > > cert has extended key usage of clientAuth. Actually you can > have > > > > both - > > > > > > if > > > > > > > you are generating yourself. > > > > > > > > > > > > > > > > > > > > > > > > > > > > [image: Confluent] <https://www.confluent.io> > > > > > > > Wu Shilin > > > > > > > Solution Architect > > > > > > > +6581007012 > > > > > > > Follow us: [image: Blog] > > > > > > > < > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog > > > > > > > >[image: > > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] > > > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack] > > > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube] > > > > > > > <https://youtube.com/confluent> > > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/> > > > > > > > > > > > > > > > > > > > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma < > > > > > > > sharma.anjali.2...@gmail.com> > > > > > > > wrote: > > > > > > > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > While trying for mtls ssl.client.aut=required, From Client > side > > > we > > > > > are > > > > > > > > seeing some junk certificates which we have not imported on > the > > > > > client > > > > > > > > side? > > > > > > > > > > > > > > > > Please help with this? > > > > > > > > > > > > > > > > Thanks & Regards > > > > > > > > > > > > > > > > Anjali > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
