Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can not set up HTTPS listener with PEM certificate #2905

Closed
strafer opened this issue Dec 14, 2023 · 2 comments
Closed

Can not set up HTTPS listener with PEM certificate #2905

strafer opened this issue Dec 14, 2023 · 2 comments

Comments

@strafer
Copy link

strafer commented Dec 14, 2023

Hi there!

I have already set up communication between Kafka and Schema Registry via mTLS using PEM certificates, everything works fine in this part.

Now I'm trying to set up an HTTPS listener using the same PEM certificate (it's on an obfuscated name example.com and it also has TLS Web Server Authentication in X509v3 Extended Key Usage). I use the following parameters in schema-registry.properties (The bundle.pem file contains concatenated private key, own certificate, intermediate certificate, root certificate, the private key isn't encrypted so I omit the ssl.*.password params):

listeners=https://0.0.0.0:9183

security.protocol=SSL
ssl.keystore.location=/etc/tls/registry/bundle.pem
ssl.keystore.type=PEM
ssl.truststore.location=/etc/ssl/certs/ca-certificates.crt
ssl.truststore.type=PEM

host.name=example.com

This leads to errors:

ERROR Server died unexpectedly:  (io.confluent.kafka.schemaregistry.rest.SchemaRegistryMain:55)
java.security.KeyStoreException: PEM not found
…
Caused by: java.security.NoSuchAlgorithmException: PEM KeyStore not available

Does NoSuchAlgorithmException mean that PEM is not supported, or does it refer to the certificate key? (however, both points look strange considering that exactly the same bundle file works fine in Kafka's direction)

If I comment out the lines ssl.*, then the web server starts and listens port, but in fact, due to the lack of a certificate, it is impossible to establish a connection to it, for example, curl returns SSL_ERROR_SYSCALL.

The description of the ssl.keystore.location parameter mentions that Jetty requires that the key’s CN, stored in the keystore, must match the FQDN. — which parameter exactly defines this FQDN? Is it not host.name ? Maybe that's the problem.
@rayokota
Copy link
Member

Try configuring using the description here #2062

@strafer
Copy link
Author

strafer commented Dec 15, 2023

I divided my bundle into a key and a certificate chain, and tried to use these settings, but the result remained the same.

Two things confuse me:

  1. I have not seen and do not see these schema.registry.* settings from the PR in the application log in the block SchemaRegistryConfig values: (I'm using the official image of the most recent version 7.5.2, surely this code added so long ago should be there);
  2. I don't understand what <Java escaped PEM certs> means. Is this some kind of special format? I couldn't google anything specific about this phrase. In Kafka, I use the most common PEM certificates for TLS, as well as for mTLS between Kafka and the Schema Registry (kafkastore.ssl.*), and they are accepted there and everything works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rayokota @strafer