ca2root is in client truststorecaroot is not imported into client
truststorekafka.example.com is not imported into client truststore
oemkafka.example.com is not imported into client truststore
Martin
______________________________________________
> From: ka...@harsha.io
> Date: Mon, 18 Jul 2016 03:29:36 +0000
> Subject: Re: TLS based ACL: Does Kafka support multiple CA Certs on broker
> To: users@kafka.apache.org
>
> Did you make sure both those CA's are imported into Broker's truststore?
>
> -Harsha
>
> On Fri, Jul 15, 2016 at 5:12 PM Raghavan, Gopal <gopal.ragha...@here.com>
> wrote:
>
> > Hi,
> >
> > Can Kakfa support multiple CA certs on broker.
> > If yes, can you please point me to an example.
> >
> > Producer signed with second CA (CA2) is failing. Client signed with CA1 is
> > working fine.
> >
> > kafka-console-producer --broker-list kafka.example.com:9093 --topic
> > oem2-kafka --producer.config /etc/kafka/oem_producer_ssl.properties
> > hello oem2
> > are you there
> > [2016-07-15 23:01:04,643] ERROR Error when sending message to topic
> > oem2-kafka with key: null, value: 15 bytes with error: Failed to update
> > metadata after 60000 ms.
> > (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
> > [2016-07-15 23:02:04,646] ERROR Error when sending message to topic
> > oem2-kafka with key: null, value: 17 bytes with error: Failed to update
> > metadata after 60000 ms.
> > (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
> >
> > Any suggestions?
> >
> >
> > ----------
> >
> > Server shows two CA names, but only one subject/issuer name.
> >
> > openssl s_client -debug -connect localhost:9093 -tls1
> > subject=/C=GB/ST=London/L=London/O=Confluent/OU=Broker/CN=
> > kafka.example.com
> > issuer=/CN=ca.example.com/L=London/ST=London/C=GB
> > ---
> > Acceptable client certificate CA names
> > /CN=ca.example.com/L=London/ST=London/C=GB
> > /CN=ca2.example.com/L=London/ST=London/C=GB
> >
> >
> >
> > Here is my configuration:
> >
> > kafka.server.truststore.jks:
> > 2 entries
> > CA1: C=GB, ST=London, L=London, CN=ca.example.com
> > CA2: C=GB, ST=London, L=London, CN=ca2.example.com
> >
> > kafka.server.keystore.jks:
> > 4 entries
> > Alias name: ca2root
> > Owner: C=GB, ST=London, L=London, CN=ca2.example.com
> > Issuer: C=GB, ST=London, L=London, CN=ca2.example.com
> > Alias name: caroot
> > Owner: C=GB, ST=London, L=London, CN=ca.example.com
> > Issuer: C=GB, ST=London, L=London, CN=ca.example.com
> > Alias name: kafka.example.com
> > Certificate chain length: 2
> > Certificate[1]:
> > Owner: CN=kafka.example.com, OU=Broker, O=Confluent, L=London, ST=London,
> > C=GB
> > Issuer: C=GB, ST=London, L=London, CN=ca.example.com
> > Alias name: oemkafka.example.com
> > Certificate chain length: 2
> > Certificate[1]:
> > Owner: CN=kafka.example.com, OU=oemBroker, O=Confluent, L=London,
> > ST=London, C=GB
> > Issuer: C=GB, ST=London, L=London, CN=ca2.example.com
> >
> >
> > Client Side
> > kafka.oem.truststore.jks
> > 1 entry
> > Alias name: ca2root
> > Owner: C=GB, ST=London, L=London, CN=ca2.example.com
> > Issuer: C=GB, ST=London, L=London, CN=ca2.example.com
> >
> > kafka.oem.keystore.jks
> > Alias name: oemkafka.example.com
> > Certificate chain length: 2
> > Certificate[1]:
> > Owner: CN=kafka.example.com, OU=OEM, O=Client2, L=Boston, ST=Boston, C=US
> > Issuer: C=GB, ST=London, L=London, CN=ca2.example.com
> > Alias name: ca2root
> > Owner: C=GB, ST=London, L=London, CN=ca2.example.com
> > Issuer: C=GB, ST=London, L=London, CN=ca2.example.com
> >
> >
> > Thanks,
> > --
> > Gopal
> >
> >
