Hello,
Can anyone help me provide the below information:
Kafka SSL checks the validity of which SSL certificate: keystore or trust store
while checking the expiry condition?
Thanks in advance!
Best regards,
Deepak
From: Deepak Jain
Sent: 12 August 2021 15:01
To: users@kafka.apache.org
Cc: Alap Patwardhan <a...@cumulus-systems.com>; Prashant Ahire
<prashant.ah...@cumulus-systems.com>
Subject: Kafka checks the validity of SSL certificates keystore or trust store?
Hello,
We are using Kafka for data uploading via SSL. While doing the SSL certificate
expiry test, we found that Kafka checks the expiry of keystore and does not
start when the current date exceed the validity end date of keystore and dump
the following exception in server.log
------------------------------------------------------------------------------------START-OF-EXCEPTION---------------------------------------------------------------------------------------------------------------------------------------------------------
[2021-10-08 20:01:39,731] ERROR [KafkaServer id=0] Fatal error during
KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.KafkaException:
org.apache.kafka.common.config.ConfigException: Invalid value
javax.net.ssl.SSLHandshakeException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: validity check failed for
configuration A client SSLEngine created with the provided settings can't
connect to a server SSLEngine created with those settings.
at
org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:184)
at
org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:192)
at
org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:107)
at kafka.network.Processor.<init>(SocketServer.scala:853)
at kafka.network.SocketServer.newProcessor(SocketServer.scala:442)
at
kafka.network.SocketServer.$anonfun$addDataPlaneProcessors$1(SocketServer.scala:299)
at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:190)
at
kafka.network.SocketServer.addDataPlaneProcessors(SocketServer.scala:297)
at
kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1(SocketServer.scala:262)
at
kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1$adapted(SocketServer.scala:259)
at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:563)
at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:561)
at scala.collection.AbstractIterable.foreach(Iterable.scala:919)
at
kafka.network.SocketServer.createDataPlaneAcceptorsAndProcessors(SocketServer.scala:259)
at kafka.network.SocketServer.startup(SocketServer.scala:131)
at kafka.server.KafkaServer.startup(KafkaServer.scala:285)
at kafka.Kafka$.main(Kafka.scala:109)
at kafka.Kafka.main(Kafka.scala)
Caused by: org.apache.kafka.common.config.ConfigException: Invalid value
javax.net.ssl.SSLHandshakeException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: validity check failed for
configuration A client SSLEngine created with the provided settings can't
connect to a server SSLEngine created with those settings.
at
org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:100)
at
org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:180)
... 17 more
------------------------------------------------------------------------------------END-OF-EXCEPTION---------------------------------------------------------------------------------------------------------------------------------------------------------
Please verify whether our assumption is correct or not.
If yes, let us know whether the truststore expiry is taken into account or not.
If no, then let us know the correct behavior of kafka SSL certificate expiry
checks.
Also, let us know whether the exclusion of host (Server) certificate received
from CA form the Certificate chain while generating the trust store has any
impact on the expiry date of resultant trust store.
Regards,
Deepak
