1

I had posted a question here regarding setting the EnableSslCertificateVerification setting yo true how it doesn't work on Windows. SSL handshake fails.

I found out that this is solved by adding the SslCaLocation setting as follows:

"Dev-on-Windows": {
      "commandName": "Project",
      "environmentVariables": {
        "Kafka__BootstrapServers": "myloadbalancer.myhost.corp:9094",
        "Kafka__EnableSslCertificateVerification": "true",
        "Kafka__SchemaRegistryUrl": "myschemareg.myhost.corp:8081,myschemreg2.myhost.corp:8081",
        "Kafka__SecurityProtocol": "SaslSsl",
        "Kafka__SslCaLocation": "cacert.pem",
        "Kafka__SaslMechanism": "Gssapi",       
        "Kafka__ClientId": "DotNetCoreReferenceApplication",
        "Kafka__ErrorTolerance": "Moderate",
        "Kafka__Debug" : "all",
        "ASPNETCORE_ENVIRONMENT": "Development"
      },
      "applicationUrl": "https://localhost:5001;http://localhost:5000"
    },

Where cacert.pem file is simply the concatenation of the signatures PKs of the certificates. That works. I am not sure why that is needed when ideally it should be able to check the trusted root store on Windows.

UPDATE

Two certs are required. One of them is in the Trusted Root Certificate Authorities and the other is in the Intermediate Certificate Authorities.

I removed the SslCaLocation configuration and simply imported the second certificate from the Intermediate store to the Root store and it worked.

Does Confluent Client Lib for Kafka / librdkafka for Windows not look into the Intermediate Certificate Store?

Saher Ahwal
  • 9,015
  • 32
  • 84
  • 152
  • just FYI there is bug in librdkafka which Confluent client relies on. On Windows, only the CAs in the Root CA store matters. the client does not enumerate the Intermediate CA store. – Saher Ahwal Aug 20 '20 at 00:19
  • please see here: https://github.com/edenhill/librdkafka/issues/3025 – Saher Ahwal Aug 20 '20 at 00:19

0 Answers0