1

I have configured a Kafka Cluster with Strimzi. I have enabled tls authentication and I have exposed the service with NodePort.

After that I have exported my ca and my password to generate a JKS to connect with Kafka. But the problem is that I'm having the next error:

java.security.cert.CertificateException: No subject alternative names matching IP address 172.26.195.44 found

To export password and ca:

kubectl get secret kafka-cluster-cluster-ca-cert -o jsonpath='{.data.ca\.crt}' | base64 --decode > ca.crt
kubectl get secret kafka-cluster-cluster-ca-cert -o jsonpath='{.data.ca\.password}' | base64 --decode > ca.password

To generate the jks I have made these steps:

keytool -genkey -alias kafka -keyalg RSA -keystore kafka.jks -keysize 2048
keytool -importkeystore -srckeystore kafka.jks -destkeystore kafka.jks -deststoretype pkcs12  

export CERT_FILE_PATH=ca.crt
export CERT_PASSWORD_FILE_PATH=ca.password
export KEYSTORE_LOCATION=kafka.jks
export PASSWORD=`cat $CERT_PASSWORD_FILE_PATH`
export CA_CERT_ALIAS=strimzi-kafka-cert

sudo keytool -importcert -alias $CA_CERT_ALIAS -file $CERT_FILE_PATH -keystore $KEYSTORE_LOCATION -keypass $PASSWORD
sudo keytool -list -alias $CA_CERT_ALIAS -keystore $KEYSTORE_LOCATION

Also I have tried adding -ext SAN=dns:test.abc.com,ip:172.26.195.44

Any idea about this?

nole
  • 1,422
  • 4
  • 20
  • 32

1 Answers1

2

As described in the docs, when using node ports listeners, you have to by default disable the hostname verification in your client. The reason is that the node address is not known upfront to add it to the certificates and including all nodes would often not work because the worker nodes might come and go.

If you know the node addresses upfront because of your cluster configuration, you can have them added to the certificates using the alternativeNames option in the Kafka CR.

Jakub
  • 3,506
  • 12
  • 20