You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have already set up communication between Kafka and Schema Registry via mTLS using PEM certificates, everything works fine in this part.
Now I'm trying to set up an HTTPS listener using the same PEM certificate (it's on an obfuscated name example.com and it also has TLS Web Server Authentication in X509v3 Extended Key Usage). I use the following parameters in schema-registry.properties (The bundle.pem file contains concatenated private key, own certificate, intermediate certificate, root certificate, the private key isn't encrypted so I omit the ssl.*.password params):
ERROR Server died unexpectedly: (io.confluent.kafka.schemaregistry.rest.SchemaRegistryMain:55)
java.security.KeyStoreException: PEM not found
…
Caused by: java.security.NoSuchAlgorithmException: PEM KeyStore not available
Does NoSuchAlgorithmException mean that PEM is not supported, or does it refer to the certificate key? (however, both points look strange considering that exactly the same bundle file works fine in Kafka's direction)
If I comment out the lines ssl.*, then the web server starts and listens port, but in fact, due to the lack of a certificate, it is impossible to establish a connection to it, for example, curl returns SSL_ERROR_SYSCALL.
The description of the ssl.keystore.location parameter mentions that Jetty requires that the key’s CN, stored in the keystore, must match the FQDN. — which parameter exactly defines this FQDN? Is it not host.name ? Maybe that's the problem.
The text was updated successfully, but these errors were encountered:
I divided my bundle into a key and a certificate chain, and tried to use these settings, but the result remained the same.
Two things confuse me:
I have not seen and do not see these schema.registry.* settings from the PR in the application log in the block SchemaRegistryConfig values: (I'm using the official image of the most recent version 7.5.2, surely this code added so long ago should be there);
I don't understand what <Java escaped PEM certs> means. Is this some kind of special format? I couldn't google anything specific about this phrase. In Kafka, I use the most common PEM certificates for TLS, as well as for mTLS between Kafka and the Schema Registry (kafkastore.ssl.*), and they are accepted there and everything works.
Hi there!
I have already set up communication between Kafka and Schema Registry via mTLS using PEM certificates, everything works fine in this part.
Now I'm trying to set up an HTTPS listener using the same PEM certificate (it's on an obfuscated name
example.com
and it also hasTLS Web Server Authentication
inX509v3 Extended Key Usage
). I use the following parameters inschema-registry.properties
(Thebundle.pem
file contains concatenatedprivate key, own certificate, intermediate certificate, root certificate
, the private key isn't encrypted so I omit thessl.*.password
params):This leads to errors:
Does
NoSuchAlgorithmException
mean that PEM is not supported, or does it refer to the certificate key? (however, both points look strange considering that exactly the same bundle file works fine in Kafka's direction)If I comment out the lines
ssl.*
, then the web server starts and listens port, but in fact, due to the lack of a certificate, it is impossible to establish a connection to it, for example, curl returnsSSL_ERROR_SYSCALL
.The description of the
ssl.keystore.location
parameter mentions thatJetty requires that the key’s CN, stored in the keystore, must match the FQDN.
— which parameter exactly defines this FQDN? Is it nothost.name
? Maybe that's the problem.The text was updated successfully, but these errors were encountered: