Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

connecting to on-prem schema registry with self-signed certificate #425

Closed
CurryWurry opened this issue Apr 22, 2024 · 3 comments
Closed

connecting to on-prem schema registry with self-signed certificate #425

CurryWurry opened this issue Apr 22, 2024 · 3 comments
Labels
enhancement New feature or request question Further information is requested
Milestone
0.34.0

Comments

@CurryWurry
Copy link

We are running an on-prem Confluent schema registry, but when trying to get subjects we get: "Error: CompletionException: io.streamthoughts.jikkou.http.client.RestClientException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

configuring ssl and connecting to the kafka brokers works without any issues. Adding the schema registry's self signed certificate to the JDK's truststore did not work. Are ssl properties evaluated in the jikkou.schemaRegistry namespace? Looking at the documentation we can only specify url, vendor, authMethod and basic auth properties.
@CurryWurry CurryWurry added the question Further information is requested label Apr 22, 2024
@fhussonnois
Copy link
Member

Hi @CurryWurry, I think that for the SSL Authentication is not support by Jikkou. Are you using a Schema Registry configured with ssl.client.auth=true (confluent doc: https://docs.confluent.io/platform/current/schema-registry/security/index.html#additional-configurations-for-https). I will push a PR so that you will be able to configure the ssl properties for the schema registry.

@CurryWurry
Copy link
Author

Hi @fhussonnois , yes, we have configured schemaRegistry exactly like we did for the kafka client, but these properties are indeed ignored for both schemaRegistry and kafkaConnect. We managed to temporarily work around this limitation by providing JVM parameters to the Jikkou cli: jikkou -Djavax.net.ssl.keyStore=./pre-prod/keystore.p12 ... get sr

fhussonnois added a commit that referenced this issue Apr 27, 2024
@fhussonnois
feat(schema-registry): add SSL support for SchemaRegistry (#425)
bef9d26
fhussonnois added a commit that referenced this issue Apr 27, 2024
@fhussonnois
feat(schema-registry): add SSL support for SchemaRegistry (#425)
1857335
@fhussonnois fhussonnois added this to the 0.34.0 milestone Apr 29, 2024
@fhussonnois fhussonnois added the enhancement New feature or request label Apr 29, 2024
@fhussonnois
Copy link
Member

Hi @CurryWurry, you should be able to evaluate the early-access release which contains the new feature for configuring both Kafka Connect and Schema Registry with SSL.

Example:

jikkou  {
  schemaRegistry {
    url = "https://localhost:8081"
    authMethod = "SSL"
    sslKeyStoreLocation = "/certs/registry.keystore.jks"
    sslKeyStoreType = "JKS"
    sslKeyStorePassword = "password"
    sslKeyPassword = "password"
    sslTrustStoreLocation = "/certs/registry.truststore.jks"
    sslTrustStoreType = "JKS"
    sslTrustStorePassword = "password"
    sslIgnoreHostnameVerification = true
  }
}

@Antoine7773 Antoine7773 mentioned this issue Jun 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
0.34.0
Development

No branches or pull requests
2 participants
@fhussonnois @CurryWurry