Kafka TLS Doesn't Present Intermediary Certificates #6654
Labels
kafka
solved
stale
15 days without activity
tech-issues
The user has a technical issue about an application
triage
Triage is needed
Name and Version
bitnami/kafka:3.2.1-debian-11-r4
What steps will reproduce the bug?
We deploy this container from the Bitnami Kafka Helm Chart. When using PEM TLS certificates, Kafka does not present the entire certificate chain.
Our
/opt/bitnami/kafka/config/server.properties
file looks like this:The
ssl.keystore.certificate.chain
has (in order) our endpoint certificate followed by the Let's Encrypt R3 Intermediate certificate underneath it. Thessl.truststore.certificates
entry is the Let's Encrypt ISRG Root X1 CA certificate.We can test the configuration with:
Which returns the below output. The output says that only one certificate is being presented, and it is the Intermediate certificate and not the endpoint/leaf certificate, which is why the signature is failing.
If I remove the Intermediary certificate from the
ssl.keystore.certificate.chain
entry, Kafka now sends me the endpoint certificate but without the Intermediary certificate. This means the certificate will not be trusted unless the intermediary certificate is manually trusted. The output ofopenssl s_client -connect myhost.mydomain.com -port 9094
is now:The current workaround is to install the Intermediary certificate in the root of trust.
I have tried reversing the order of the certificates in the
ssl.keystore.certificate.chain
entry, which makes Kafka throw errors (as expected).I have also tried adding the Root certificate to the
ssl.keystore.certificate.chain
(a total of 3 certificates), and this results in the Root CA certificate alone being sent in the TLS handshake. It seems that Kafka always sends a single certificate, and it is always the last one in thessl.keystore.certificate.chain
chain.What is the expected behavior?
Kafka TLS should send the endpoint certificate along with all intermediary CA's in the TLS handshake.
What do you see instead?
Only a single certificate is sent when a chain is provided.
Additional information
No response
The text was updated successfully, but these errors were encountered: