SSL HANDSHAKE Failed.

[bj9306]

Team,
I have a cluster with below configuration.

configuration:
brokerCertChainAndKey:
secretName: aione-kafka2-listener-secret
certificate: tls.crt
key: tls.key
bootstrap:
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
alternativeNames:
- watchtower-nprd-kafka.att.com
brokers:
- broker: 0
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
external-dns.alpha.kubernetes.io/hostname: watchtower-nprd-kafka-0.att.com
advertisedHost: watchtower-nprd-kafka-0.att.com

the brokercertificate used here is having different common name(watchtower.web.att.com) as compared to broker/bootstrap name(watchtower-nprd-kafka.att.com).

kubectl get secret aione-kafka1-listener-secret -o 'jsonpath={.data.tls.crt}' -n aione-dev | base64 -d | openssl x509 -subject -issuer -startdate -enddate -noout
subject=C = US, ST = Texas, L = Dallas, O = "Company", CN = watchtower.web.att.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
notBefore=May 17 00:00:00 2021 GMT
notAfter=May 25 23:59:59 2022 GMT

i have done this because i want to re-use same broker certs for many clusters.

so now i have client certs signed by digicerts. my client is failing with attached error. i havent imported ca.certs into client truststore as both client and server certs signed by same CA

any help is appreciated.

[scholzj]

• Please format the YAML snippets as code to make them readable
• The error in your client says it does not trust your server certificate or the CA which signed it. So I guess you might need to add it to the truststore? You do not show how the client is configured, so it is not really clear why.

[bj9306]

To create keystore:

openssl pkcs12 -export -in fullchain.pem -inkey private.key -certfile fullchain.pem -out fullchain.p12

Where "fullchain.pem" is the signed full chain certificate from digicert.

Where "private.key" is the associated private key used to create the certificate signing request for digicert

keytool -importkeystore -srckeystore fullchain.p12 -srcstoretype pkcs12 -destkeystore fullchain.jks -deststoretype jks

Where "fullchain.p12" is the file created in the previous command

To create truststore:

simply taken from Java sdk:

cp jre/lib/security/cacerts kafka.client.truststore.jks

Test kafka connection:

kafka-console-consumer --consumer.config client.properties --topic metrics --bootstrap-server host:port --max-messages 1

Where client.properties is

security.protocol=SSL
ssl.truststore.location=kafka.client.truststore.jks
ssl.keystore.location=fullchain.jks
ssl.keystore.password=PASSWORD
ssl.key.password=PASSWORD

Where "PASSWORD" is the password used in the prompts following the commands used above to create the keystore

[bj9306]

Also my broker and client certificate is signed by same authority.

kubectl get secret kafka-tls-listner-secert -o 'jsonpath={.data.kafka.crt}' | base64 -d | openssl x509 -issuer -startdate -enddate -noout
issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
notBefore=Feb 26 00:00:00 2021 GMT
notAfter=Mar 29 23:59:59 2022 GMT

cat tls.crt | openssl x509 -issuer -startdate -enddate -noout
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
notBefore=May 25 00:00:00 2021 GMT
notAfter=Jun 2 23:59:59 2022 GMT

[scholzj]

I'm sorry, but I do not follow your configuration. The snippet from the first post (assuming it is correctly formatted which is not visible from how you copied it) shows only server certificate - so truststore is all you need. It is not clear what else do you have configured.

[bj9306]

Certs added to client-ca secret and above issue fixed.