You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@zookeeper.apache.org by john mark <jo...@gmail.com> on 2021/08/14 21:19:35 UTC

zookeeper ssl alert “alert bad certificate”

Hi there!

<https://serverfault.com/posts/1074579/timeline>

I am using Kafka (version 2.3.0) and Zookeeper (version 3.5.5-3) - the
stable version is 3.6.3.

When I test the SSL of my Zookeeper using this command:

openssl s_client -showcerts -connect 127.0.0.1:2280 -CAfile
/certs/ca-chain.cert.pem

and I am getting this error:

140371409225024:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate:../ssl/record/rec_layer_s3.c:1543:SSL alert number 42

But if I will install Zookeeper version 3.5.7 and up and I can add this in
my zoo.cnf or zookeeper.properties:

ssl.clientAuth=want and I no longer see any SSL errors.

Any tips/suggestions on how to fix this SSL error without upgrading (I
don't want to update at the moment to avoid other conflicts like Kafka
Cruise Control and others).

Thanks in advance!

Best regards,

John Mark Causing

Re: zookeeper ssl alert “alert bad certificate”

Posted by Enrico Olivelli <eo...@gmail.com>.

John,

Il giorno sab 14 ago 2021 alle ore 23:19 john mark <
johnmarkcausing@gmail.com> ha scritto:

> Hi there!
>
> <https://serverfault.com/posts/1074579/timeline>
>
> I am using Kafka (version 2.3.0) and Zookeeper (version 3.5.5-3) - the
> stable version is 3.6.3.
>
> When I test the SSL of my Zookeeper using this command:
>
> openssl s_client -showcerts -connect 127.0.0.1:2280 -CAfile
> /certs/ca-chain.cert.pem
>
> and I am getting this error:
>
> 140371409225024:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
> certificate:../ssl/record/rec_layer_s3.c:1543:SSL alert number 42
>


Is the ZooKeeper Java client able to connect ?

>
> But if I will install Zookeeper version 3.5.7 and up and I can add this in
> my zoo.cnf or zookeeper.properties:
>
> ssl.clientAuth=want and I no longer see any SSL errors.
>

So you are saying that with 3.5.7 we are able to see it working by enabling
TLS client auth ?
Do you have errors in the logs of the server ?

>
> Any tips/suggestions on how to fix this SSL error without upgrading (I
> don't want to update at the moment to avoid other conflicts like Kafka
> Cruise Control and others).
>


3.5.7 should be 100% compatible with 3.5.5 so upgrading the ZooKeeper
servers should not be an issue for the clients.

Enrico


>
> Thanks in advance!
>
> Best regards,
>
> John Mark Causing
>