*Hi Team,*

We are facing issue with kafka topic manager, when intermediate CA is
present. Please let us know how to resolve this issue.
Kafka:3.8.0 is being used.

*When we are trying to communicate between kafka and kafka-topic-mager we
are using internal and third party CA certificates. when we are trying to
connect using a certificate path with multiple CA's communication is
breaking between kafka and applications.*

*Example1: certificate is signed with CA - we didn't find any issue (No
intermediate CA) certificate chain : certificate -> internal CA
------------------------------------------------------SSL handshake
completed successfully with peerHost--------------------------------- Nov 5
15:59:49 localhost kafka[128794]: [2024-11-05 13:59:49,380] DEBUG Accepted
connection from /172.17.0.1:37520 <http://172.17.0.1:37520> on
/172.17.0.18:9092 <http://172.17.0.18:9092> and assigned it to processor 1,
sendBufferSize [actual|requested]: [102400|102400] recvBufferSize
[actual|requested]: [102400|102400] (kafka.network.DataPlaneAcceptor) Nov 5
15:59:49 localhost kafka[128794]: [2024-11-05 13:59:49,380] DEBUG Processor
1 listening to new connection from /172.17.0.1:37520
<http://172.17.0.1:37520> (kafka.network.Processor) Nov 5 15:59:49
localhost kafka[128794]: [2024-11-05 13:59:49,401] DEBUG [SslTransportLayer
channelId=172.17.0.18:9092-172.17.0.1:37520-15
key=channel=java.nio.channels.SocketChannel[connected
local=/172.17.0.18:9092 <http://172.17.0.18:9092> remote=/172.17.0.1:37520
<http://172.17.0.1:37520>], selector=sun.nio.ch.EPollSelectorImpl@12a58e5e,
interestOps=1, readyOps=0] _SSL handshake completed successfully with
peerHost_ '172.17.0.1' peerPort 37520 peerPrincipal
'CN=kafka-topic-manager-localhost' protocol 'TLSv1.3' cipherSuite
'TLS_AES_128_GCM_SHA256'
(org.apache.kafka.common.network.SslTransportLayer) Example2: certificate
is signed with internal CA signed by thirdparty CA - hadshek is failing
(With intermediate CA) certificate chain : certificate -> internal CA ->
thirdparty CA
---------------------------------------------------------SSLHandshake
NEED_UNWRAP channelId----------------------------------------- Nov 5
16:38:21 localhost kafka[1332937]: [2024-11-05 14:38:21,370] DEBUG
Processor 1 listening to new connection from /172.17.0.1:45242
<http://172.17.0.1:45242> (kafka.network.Processor) Nov 5 16:38:21
localhost kafka[1332937]: [2024-11-05 14:38:21,370] DEBUG Accepted
connection from /172.17.0.1:45242 <http://172.17.0.1:45242> on
/172.17.0.141:9092 <http://172.17.0.141:9092> and assigned it to processor
1, sendBufferSize [actual|requested]: [102400|102400] recvBufferSize
[actual|requested]: [102400|102400] (kafka.network.DataPlaneAcceptor) Nov 5
16:38:21 localhost kafka[1332937]: [2024-11-05 14:38:21,370] TRACE
[SslTransportLayer channelId=172.17.0.141:9092-172.17.0.1:45242-825
key=channel=java.nio.channels.SocketChannel[connected
local=/172.17.0.141:9092 <http://172.17.0.141:9092>
remote=/172.17.0.1:45242 <http://172.17.0.1:45242>],
selector=sun.nio.ch.EPollSelectorImpl@39027b65, interestOps=1, readyOps=0]
SSLHandshake NEED_UNWRAP channelId 172.17.0.141:9092-172.17.0.1:45242-825,
appReadBuffer pos 0, netReadBuffer pos 0, netWriteBuffer pos 0
(org.apache.kafka.common.network.SslTransportLayer)*





*Thanks & Regards,Sravani*

Reply via email to