specifying a PEM private key for SSL broker config?

[Spencer Nelson <sw...@uw.edu>]

Hi,

I'd like to enable SSL for a broker. I'd like to get the cert using
LetsEncrypt, which generates a private key and certificate chain in PEM
format.

KIP-651, which was implemented and released in Kafka 2.7.0, added support
for PEM files for TLS configuration, which is great. But I can't seem to
figure out how to actually use it.

I have this in my server.properties:

ssl.keystore.type=PEM
> ssl.keystore.key=/etc/letsencrypt/live/domain.redacted/privkey.pem
>
> ssl.keystore.certificate.chain=/etc/letsencrypt/live/domain.redacted/fullchain.pem
>

But my server fails to launch with this error:

ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to
> shutdown (kafka.server.KafkaServer)
> org.apache.kafka.common.errors.InvalidConfigurationException: Invalid PEM
> keystore configs
> Caused by: org.apache.kafka.common.errors.InvalidConfigurationException:
> No matching PRIVATE KEY entries in PEM file
>

I believe this is because it's trying to parse my 'ssl.keystore.key' value
as a literal PEM, rather than taking it as a file path which *holds* a PEM.
I have tried specifying the private key file's location with
ssl.keystore.location - but then Kafka appears to be expecting a keystore,
and complains that I haven't provided a password for the key:

ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to
> shutdown (kafka.server.KafkaServer)
> org.apache.kafka.common.errors.InvalidConfigurationException: SSL PEM key
> store is specified, but key password is not specified.
>

But the LetsEncrypt private key doesn't *have* a password. What's going on
here? How can I specify PEM files for SSL?

Here's the KIP which kind of sketches the design:
https://cwiki.apache.org/confluence/display/KAFKA/KIP-651+-+Support+PEM+format+for+SSL+certificates+and+private+key