1

I am using Kafka (version 2.3.0) and Zookeeper (version 3.5.5-3) - the stable version is 3.6.3.

When I test the SSL of my Zookeeper using this command:

openssl s_client -showcerts -connect 127.0.0.1:2280 -CAfile /certs/ca-chain.cert.pem

and I am getting this error:

140371409225024:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1543:SSL alert number 42

But if I will install Zookeeper version 3.5.7 and up and I can add this in my zoo.cnf or zookeeper.properties:

ssl.clientAuth=want and I no longer see any SSL errors.

Any tips/suggestions on how to fix this SSL error without upgrading (I don't want to update at the moment to avoid other conflicts like Kafka Cruise Control and others).

Thanks in advance!

John Mark
  • 13
  • 2

1 Answers1

0

Zookeeper until version 3.5.7 expects mutial TLS, i.e. that the client authenticates itself with its own certicate. Only starting with 3.5.7 it can make client certificates optional ("want") or not even requested ("none"). This means the only way for older versions is to actually have client certificates, i.e. the -cert and -key options for openssl s_client.

Steffen Ullrich
  • 12,227
  • 24
  • 37
  • Thanks for your help. So I used this `openssl s_client -showcerts -connect 55.55.55.55:2280 -CAfile /certs/ca-chain.cert.pem -cert /root/ca/intermediate/certs/intermediate.cert.pem  -key /root/ca/intermediate/private/intermediate.key.pem` and it works just fine. But how can I use -cert and -key to connect my Kafka server to Zookeeper? – John Mark Aug 16 '21 at 23:44
  • @JohnMark: I'm not familiar with Kafka configuration but from [quick search](https://www.google.com/search?q=kafka+zookeeper+configuration+client+certificate) it basically looks like putting the client certificates and key into the keystore and let Kafka use it. The instructions are probably easier to understand for someone who is already familiar with Kafka and Zookeeper. – Steffen Ullrich Aug 17 '21 at 03:59