Hello everyone, I am trying to setup a Kafka cluster with mTLS authentication using certificates signed by GCP's CAS (Certificate Authority Service). I have three Kafka nodes: a master and two workers. Each node has a PEM truststore containing the CA Root certificate from the authority on CAS and a PEM keystore containing a signed certificate from CAS and the private key. I followed this webpage <https://codingharbour.com/apache-kafka/using-pem-certificates-with-apache-kafka> for the setup.
This is the server.properties file for the master node. Other nodes have a similar config except the ssl.keystore.location property. listeners=INTERNAL://:port,EXTERNAL://:port advertised.listeners=INTERNAL://:port,EXTERNAL://:port listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSLinter.broker.listener.name=INTERNAL ssl.enabled.protocols=TLSv1.2 ssl.endpoint.identification.algorithm= producer.ssl.endpoint.identification.algorithm= consumer.ssl.endpoint.identification.algorithm= ssl.client.auth=required ssl.truststore.type=PEM ssl.truststore.location=/path/ca.crt ssl.keystore.type=PEM ssl.key.password=<password> ssl.keystore.location=/path/master.pem The truststore is the ca.crt (Root CA certificate) file and the keystore has the private key and the signed certificate. There are no intermediate certificates, the certificates in the keystore are directly signed by the root certificate. When I try to start the server on any nodes I am getting the following error. I am not sure why. ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer) org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings. P.S. I have already tried using the truststore and keystore in JKS and PKCS12 format. I keep getting the same error. Thanks, Dip
