Issue
I have simple Spring Boot App and Kafka with working SSL connection (other apps, not Spring Boot, have successful connection). I haven't access to kafka brokers properties. My app is a client for kafka. And this app running in container inside kubernetes. My spring boot have access to keystore.p12, ca-cert, kafka.pem, kafka.key files (it's in directory inside container).
In configuration I use
spring.kafka.security.protocol=SSL
spring.kafka.ssl.protocol=SSL
spring.kafka.ssl.key-store-type=PKCS12
spring.kafka.ssl.key-store-location=file:///path/to/keystore.p12
spring.kafka.ssl.key-store-password=password
spring.kafka.ssl.trust-store-type=PKCS12
spring.kafka.ssl.trust-store-location=file:///path/to/keystore.p12 (it's the same file, and I think it's incorrect)
spring.kafka.ssl.trust-store-password=password
spring.kafka.properties.ssl.endpoint.identification.algorithm=
spring.kafka.enable.ssl.certificate.verification=false
Everytime I receive ERROR
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:349) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:292) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:287) ~[?:?]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) ~[?:?]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:?]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?]
at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:430) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:514) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:368) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:291) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.Selector.poll(Selector.java:481) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:551) [kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1389) [kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1320) [kafka-clients-3.0.0.jar!/:?]
at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[?:?]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632) ~[?:?]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:?]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?]
at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:430) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:514) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:368) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:291) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.Selector.poll(Selector.java:481) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:551) [kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1389) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1320) ~[kafka-clients-3.0.0.jar!/:?]
at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[?:?]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[?:?]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632) ~[?:?]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:?]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?]
at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:430) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:514) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:368) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:291) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.common.network.Selector.poll(Selector.java:481) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:551) [kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1389) ~[kafka-clients-3.0.0.jar!/:?]
at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1320) ~[kafka-clients-3.0.0.jar!/:?]
at java.lang.Thread.run(Thread.java:829) ~[?:?]
I try different variations: only key store, only trust store, delete last two properties in config (endpoint.identification.algorithm and certificate.verification). Should I try to create truststore and import the certificates I have in container? I don't understand the right way for this.What is the right configuration and right way to use certificates I have?
Solution
The problem was with wrong syntax of properties. The right way to do it
spring.kafka.properties.ssl.keystore.type=PKCS12
spring.kafka.properties.ssl.keystore.location=/path/to/keystore.p12
spring.kafka.properties.ssl.keystore.password=password
spring.kafka.properties.ssl.truststore.type=PKCS12
spring.kafka.properties.ssl.truststore.location=/path/to/keystore.p12 (it's the same file, it's correct!!)
spring.kafka.properties.ssl.truststore.password=password
And yes, it's absolutely acceptable to use the same p12 file both keystore and truststore.
Answered By - Sasha Korn
Answer Checked By - Senaida (JavaFixing Volunteer)