Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Using ssl.certificate.pem does not send the full ca-chain #3225

Open
6 of 7 tasks
sunnybenari opened this issue Jan 19, 2021 · 5 comments
Open
6 of 7 tasks

Using ssl.certificate.pem does not send the full ca-chain #3225

sunnybenari opened this issue Jan 19, 2021 · 5 comments
Labels
try reproduce

Comments

@sunnybenari
Copy link

Description

When using ssl.certificate.pem configuration the client doesn't send the full chain.
Note: ssl.certificate.location sends the full chain

How to reproduce

Run producer/consumer where ssl.ca.location has only the Root CA and set ssl.certificate.pem with the full chain.

Logs:

From .NET client (proxy from librdkafka)

Confluent.Kafka.ProduceException`2[System.String,System.String]: Broker: Topic authorization failed
   at Confluent.Kafka.Producer`2.Produce(TopicPartition topicPartition, Message`2 message, Action`1 deliveryHandler)
   at Confluent.Kafka.Producer`2.Produce(String topic, Message`2 message, Action`1 deliveryHandler)

Checklist

Please provide the following information:

  • dot-net v1.5.3 (librdkafka - v1.5.3 )
  • Apache Kafka version: 2.6.0
  • librdkafka client configuration
  • Operating system: macOS Big sur 11.1
  • Provide logs (with debug=.. as necessary) from librdkafka
  • Provide broker log excerpts
  • Critical issue - No
@cactus620
Copy link

We met the same issue here. We're using the library of version 2.1.1. And our ssl.certificate.pem content is in the format like below:

-----BEGIN CERTIFICATE-----
(Base64-encoded certificate data for the client certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Base64-encoded certificate data for the intermediate CA)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Base64-encoded certificate data for the root CA)
-----END CERTIFICATE-----

We've tried to capture the packages sent using Wireshark. Only the first block of the client certificate was sent. The intermediate CA and root CA were not sent. Please kindly help to review the issue.

@trnguyencflt
Copy link
Member

Encounter the same issue when using ssl.keystore.location, only the leaf certificate is sent to server.

@abhijeet2096-confluent
Copy link
Member

Hiting this issue in confluent-operator

abhizer added a commit to feldera/feldera that referenced this issue Oct 11, 2024
@abhizer
[feldera-types] kafka: save ssl.*.pem keys & use ssl.*.location instead
ea5658f 
Workaround around: confluentinc/librdkafka#3225

Modifies kafka options `ssl.*.pem` to `ssl.*.location`, saves the PEM
keys to a file named after their SHA256 hash and the file path to this
file is set as the value for this option.

Signed-off-by: Abhinav Gyawali <22275402+abhizer@users.noreply.github.com>
@abhizer abhizer mentioned this issue Oct 11, 2024
Merged
abhizer added a commit to feldera/feldera that referenced this issue Oct 14, 2024
@abhizer
[adapters] kafka: workaround ssl.certificate.pem librdkafka issue
56762db 
Workaround: confluentinc/librdkafka#3225

rdkafka doesn't accept multiple certificates from `ssl.certificate.pem`
but does from `ssl.certificate.location`, so we save it to a file named
[SHA256-HASH]-[endpoint_name].pem in the current working directory.

Signed-off-by: Abhinav Gyawali <22275402+abhizer@users.noreply.github.com>

[docs] kafka: `ssl.*.pem` configs are replaced with `ssl.*.location`

Signed-off-by: Abhinav Gyawali <22275402+abhizer@users.noreply.github.com>
abhizer added a commit to feldera/feldera that referenced this issue Oct 14, 2024
@abhizer
[adapters] kafka: workaround ssl.certificate.pem librdkafka issue
ebe0881 
Workaround: confluentinc/librdkafka#3225

rdkafka doesn't accept multiple certificates from `ssl.certificate.pem`
but does from `ssl.certificate.location`, so we save it to a file named
[SHA256-HASH]-[endpoint_name].pem in the current working directory.

Signed-off-by: Abhinav Gyawali <22275402+abhizer@users.noreply.github.com>

[docs] kafka: `ssl.*.pem` configs are replaced with `ssl.*.location`

Signed-off-by: Abhinav Gyawali <22275402+abhizer@users.noreply.github.com>
github-merge-queue bot pushed a commit to feldera/feldera that referenced this issue Oct 14, 2024
@abhizer
[adapters] kafka: workaround ssl.certificate.pem librdkafka issue
80eb4f0 
Workaround: confluentinc/librdkafka#3225

rdkafka doesn't accept multiple certificates from `ssl.certificate.pem`
but does from `ssl.certificate.location`, so we save it to a file named
[SHA256-HASH]-[endpoint_name].pem in the current working directory.

Signed-off-by: Abhinav Gyawali <22275402+abhizer@users.noreply.github.com>

[docs] kafka: `ssl.*.pem` configs are replaced with `ssl.*.location`

Signed-off-by: Abhinav Gyawali <22275402+abhizer@users.noreply.github.com>
@abhijeet2096-confluent
Copy link
Member

This got fixed in v2.8.0 see https://github.com/confluentinc/librdkafka/releases/tag/v2.8.0

@trnguyencflt
Copy link
Member

Yeah, it is fixed in #4894

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
try reproduce
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@edenhill @cactus620 @sunnybenari @abhijeet2096-confluent @trnguyencflt