You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by john mark <jo...@gmail.com> on 2021/08/22 20:41:23 UTC

Kafka Zookeeper SSL - include cert and key.

Hi,

I am using this command to test my zookeeper SSL connection:

openssl s_client -showcerts -connect 55.55.55.55:2280  -cert
/root/ca-old3/intermediate/certs/intermediate.cert.pem  -key
/root/ca-old3/intermediate/private/intermediate.key.pem

That works great and I have this msg "Authenticated" from the log:

[2021-08-22 20:19:36,173] INFO Authenticated Id
'1.2.44222.1.9.1=#16137365637572697479406b696e7374612e636f6d,OU=Engineering,O=Ltd,ST=CA,C=US'
for Scheme 'x509'
(org.apache.zookeeper.server.auth.X509AuthenticationProvider)

So I assume that one is working properly.

What if I don't want to use -cert and -key option from the openssl command?

I tried:

I tried that with these steps:

1. I chained kac-zookeeper_cluster.cert.pem and  intermediate.cert.pem
using this command:  cat
/root/myca/intermediate/certs/kac-zookeeper_cluster.cert.pem
/root/ca-old3/intermediate/certs/intermediate.cert.pem >
/root/ca-old3/intermediate/certs/bundle.cert.pem

2. So above we got bundled.cert.pem generated. Now I generated the PKCS12
file using this command: openssl pkcs12 -export -in
/root/ca-old3/intermediate/certs/bundle.cert.pem -inkey
/root/ca-old3/intermediate/private/kac-zookeeper_cluster.key.pem -out
/root/ca-old3/intermediate/private/kac-zookeeper_cluster.p12 -name
kac-zookeeper_cluster

3. Generated the jks file using this: keytool -importkeystore -srckeystore
/root/ca-old3/intermediate/private/kac-zookeeper_cluster.p12 -srcstoretype
PKCS12 -alias kac-zookeeper_cluster -destkeystore
/root/ca-old3/intermediate/private/kac-zookeeper_cluster.jks

4. I copied the kac-zookeeper_cluster.jks in /certs

4. Ran the zookeeper server

Got the same error:  (this time I ran openssl command to test it without
-cert and -key option. It will work/no error if I use those options)

Output from openssl command:
verify return:1
139869852853568:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate:../ssl/record/rec_layer_s3.c:1543:SSL alert number 42

Output from zookeeper log:
Caused by: javax.net.ssl.SSLHandshakeException: Empty server certificate
chain


I thought combining/chaining the intermediate cert will fix it but nothing.


Best regards,

John Mark Causing