Using my trusted certificate in Kafka Strimzi

4.5k Views Asked by At

I have configured a Kafka cluster on Kubernetes using Strimzi. Using this article - https://itnext.io/kafka-on-kubernetes-the-strimzi-way-part-2-43192f1dd831 But the security service in my company does not want to deploy this solution in UAT with a self-signed certificate. Could you please tell me can I import our trust certificate from a trusted surf center into this Kafka solution.

I add this section in my yml file refer https://strimzi.io/docs/operators/master/using.html#kafka-listener-certificates-str configuration: brokerCertChainAndKey: secretName: es-kafka-secret certificate: certificate.crt key: certificate.key

But when I test I had error


[thrd:ssl://104.42.195.73:9094/bootstrap]: ssl://104.42.195.73:9094/bootstrap: SSL handshake failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed: broker certificate could not be verified, verify that ssl.ca.location is correctly configured or root CA certificates are installed (install ca-certificates package) (after 377ms in state CONNECT)
panic: interface conversion: kafka.Event is kafka.Error, not *kafka.Message

goroutine 38 [running]:
main.main.func2(0xc421004060)
        /root/kafka-kubernetes-strimzi/part-3/go-client-app/kafka-tls-auth-client.go:85 +0x2a5
created by main.main
        /root/kafka-kubernetes-strimzi/part-3/go-client-app/kafka-tls-auth-client.go:74 +0x109

And how after adding my certificate I can check the connection?

Could you please help me? Thanks.

1

There are 1 best solutions below

8
On

As described in the Strimzi documentation - you have two options to choose from:

  1. You can provide your own CA for the cluster or clients certification authorities. For more details see https://strimzi.io/docs/operators/latest/full/using.html#installing-your-own-ca-certificates-str
  2. You can let Strimzi use its self-signed CA for ZooKeeper, Kafka replication etc. and just configure your own server certificate for the Kafka listeners where clients will be connecting. For more details see https://strimzi.io/docs/operators/latest/full/using.html#kafka-listener-certificates-str

Once you configure it, you can check whether it was correctly applied for example using OpenSSL (openssl s_client ...). Or you can use the Java clients and set the Java system property javax.net.debug to value ssl - that would also print the details about the TLS handshake, the used certificates etc.