Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PEM SSL #244

Open
coredump17 opened this issue Sep 21, 2023 · 2 comments
Open

PEM SSL #244

coredump17 opened this issue Sep 21, 2023 · 2 comments

Comments

@coredump17
Copy link

coredump17 commented Sep 21, 2023

Below logic does not allow for PEM SSL ADVERTISED_LISTENERS include/etc/confluent/docker/configure

Quick workaround is to not allow advertised listeners match SSL ;)

Set if ADVERTISED_LISTENERS has SSL:// or SASL_SSL:// endpoints.

if [[ -n "${KAFKA_ADVERTISED_LISTENERS-}" ]] && [[ $KAFKA_ADVERTISED_LISTENERS == "SSL://" ]]
then
echo "SSL is enabled."

dub ensure KAFKA_SSL_KEYSTORE_FILENAME

KAFKA_SSL_KEYSTORE_LOCATION is used for PEM files instead of KAFKA_SSL_KEYSTORE_FILENAME when KAFKA_SSL_TRUSTSTORE_TYPE = PEM.

@Cito
Copy link

Cito commented Nov 10, 2023

Came here to report the same problem. Just to explain the issue more clearly:

You can configure SSL either in the classical way using KAFKA_SSL_KEYSTORE_FILENAME etc. or you can specify PEM certificates and keys directly using KAFKA_SSL_KEYSTORE_CERTIFICATE_CHAIN etc. In that case, you don't pass file names and locations, but the actual content of the PEM files - see here.

However, the "configure" script has these lines that allow only the former method of configuring SSL, and therefore prohibit using PEM certificates. This part of the script should be adapted.

As @mooneym17 mentioned, a workaround is to use protocl name in ADVERTISED_LISTENERS that does not rhyme with SSL and map it to SSL. This fools the configure script into believing you're not using SSL and not to interfere with the SSL settings.

@Cito
Copy link

Cito commented Nov 10, 2023

This issue seems to be a duplicate of #58 and #72 (which also comes with a PR to fix it).

It is also related to #89 and #100 which are exploited in the suggested workaround.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants