*Hi Team,* We are facing issue with kafka topic manager, when intermediate CA is present. Please let us know how to resolve this issue. Kafka:3.8.0 is being used.
*When we are trying to communicate between kafka and kafka-topic-mager we are using internal and third party CA certificates. when we are trying to connect using a certificate path with multiple CA's communication is breaking between kafka and applications.* *Example1: certificate is signed with CA - we didn't find any issue (No intermediate CA) certificate chain : certificate -> internal CA ------------------------------------------------------SSL handshake completed successfully with peerHost--------------------------------- Nov 5 15:59:49 localhost kafka[128794]: [2024-11-05 13:59:49,380] DEBUG Accepted connection from /172.17.0.1:37520 <http://172.17.0.1:37520> on /172.17.0.18:9092 <http://172.17.0.18:9092> and assigned it to processor 1, sendBufferSize [actual|requested]: [102400|102400] recvBufferSize [actual|requested]: [102400|102400] (kafka.network.DataPlaneAcceptor) Nov 5 15:59:49 localhost kafka[128794]: [2024-11-05 13:59:49,380] DEBUG Processor 1 listening to new connection from /172.17.0.1:37520 <http://172.17.0.1:37520> (kafka.network.Processor) Nov 5 15:59:49 localhost kafka[128794]: [2024-11-05 13:59:49,401] DEBUG [SslTransportLayer channelId=172.17.0.18:9092-172.17.0.1:37520-15 key=channel=java.nio.channels.SocketChannel[connected local=/172.17.0.18:9092 <http://172.17.0.18:9092> remote=/172.17.0.1:37520 <http://172.17.0.1:37520>], selector=sun.nio.ch.EPollSelectorImpl@12a58e5e, interestOps=1, readyOps=0] _SSL handshake completed successfully with peerHost_ '172.17.0.1' peerPort 37520 peerPrincipal 'CN=kafka-topic-manager-localhost' protocol 'TLSv1.3' cipherSuite 'TLS_AES_128_GCM_SHA256' (org.apache.kafka.common.network.SslTransportLayer) Example2: certificate is signed with internal CA signed by thirdparty CA - hadshek is failing (With intermediate CA) certificate chain : certificate -> internal CA -> thirdparty CA ---------------------------------------------------------SSLHandshake NEED_UNWRAP channelId----------------------------------------- Nov 5 16:38:21 localhost kafka[1332937]: [2024-11-05 14:38:21,370] DEBUG Processor 1 listening to new connection from /172.17.0.1:45242 <http://172.17.0.1:45242> (kafka.network.Processor) Nov 5 16:38:21 localhost kafka[1332937]: [2024-11-05 14:38:21,370] DEBUG Accepted connection from /172.17.0.1:45242 <http://172.17.0.1:45242> on /172.17.0.141:9092 <http://172.17.0.141:9092> and assigned it to processor 1, sendBufferSize [actual|requested]: [102400|102400] recvBufferSize [actual|requested]: [102400|102400] (kafka.network.DataPlaneAcceptor) Nov 5 16:38:21 localhost kafka[1332937]: [2024-11-05 14:38:21,370] TRACE [SslTransportLayer channelId=172.17.0.141:9092-172.17.0.1:45242-825 key=channel=java.nio.channels.SocketChannel[connected local=/172.17.0.141:9092 <http://172.17.0.141:9092> remote=/172.17.0.1:45242 <http://172.17.0.1:45242>], selector=sun.nio.ch.EPollSelectorImpl@39027b65, interestOps=1, readyOps=0] SSLHandshake NEED_UNWRAP channelId 172.17.0.141:9092-172.17.0.1:45242-825, appReadBuffer pos 0, netReadBuffer pos 0, netWriteBuffer pos 0 (org.apache.kafka.common.network.SslTransportLayer)* *Thanks & Regards,Sravani*