0

I want to setup certificate in docker-compose.yml for "kafka-ui" container and image: provectuslabs/kafka-ui (not local environment)

I have this error:

Failed authentication with broker. SslAuthenticationException (SSL handshake failed)

Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This is my docker-compose file:

version: '2'
services:
  kafka-ui:
    container_name: kafka-ui
    image: provectuslabs/kafka-ui
    ports:
      - 8080:8080
    restart: always
    environment:
      KAFKA_CLUSTERS_0_NAME: CONNECTION_NAME
      KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: XXXX:9093
      KAFKA_CLUSTERS_0_SCHEMAREGISTRY: XXXX:8081
      KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL: SASL_SSL
      KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM: SCRAM-SHA-512
      KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG: 'org.apache.kafka.common.security.scram.ScramLoginModule required username="client" password="XXXX";'

What option is the correct for adding a certificate?

The cluster is configured with Confluent and with this options it doesn't work

KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_LOCATION: /opt/confluent/ssl/private/kafka_broker.keystore.jks
KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_LOCATION: /opt/confluent/ssl/private/kafka_broker.truststore.jks

Moreover I can't pass SSL_KEYSTORE_PASSWORD and SSL_TRUSTSTORE_PASSWORD.

I have a .crt (certificate file) but I don't know how to add it

Is possible to add a certificate through docker-compose?

With this configuration:

      KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_LOCATION: /opt/confluent/ssl/private/kafka_broker.keystore.jks
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_PASSWORD:
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_TYPE: JKS
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_LOCATION: /opt/confluent/ssl/private/kafka_broker.truststore.jks
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_PASSWORD:
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_TYPE: JKS

I have this error: Caused by: org.apache.kafka.common.errors.InvalidConfigurationException: SSL key store is specified, but key store password is not specified.

It is not possible with SSL_KEYSTORE and SSL_TRUSTSTORE because I don't know the passwords.

I only have a certificate wiht ".crt" extension. Is possible to add a certificate through docker-compose? How do I do it? Is there any other way to do it?

For example, with other programs I add this certificate in the path (\lib\security) with command "keytool -import -trustcacerts ..." but with docker-compose I don't know.

davidleongz
  • 155
  • 2
  • 11
  • You've shown the ssl properties as commented and no mounted volume to those JKS files (do you also have those?). Also, you seem to only have one cluster (cluster 0), so the cluster 1 properly wouldn't be correct, anyway – OneCricketeer May 18 '22 at 12:29
  • Cluster 1 is my mistake, there is only one cluster. I don't know how is the configuration. Do you know how to add a certificate in this docker-compose? – davidleongz May 18 '22 at 12:52
  • Do you have a JKS file, though? You would need to mount `/opt/confluent/ssl/private/` as a Docker volume, for example. The property name seems fine, though – OneCricketeer May 18 '22 at 15:47
  • I don't have a JKS file. I edit at the end of the cuestion. Please could you read again? This configuration file https://github.com/provectus/kafka-ui/blob/master/documentation/compose/kafka-ssl.yml is not valid for my case because I don't know the keystore and truststore password. I only have a ".crt" file – davidleongz May 19 '22 at 07:09
  • You'll need to [create a JKS file](https://stackoverflow.com/questions/38250271/creating-a-jks-from-a-crt-and-key-file-is-that-possible) from the CRT. But you might be able to give an PEM crt file too - https://cwiki.apache.org/confluence/display/KAFKA/KIP-651+-+Support+PEM+format+for+SSL+certificates+and+private+key – OneCricketeer May 19 '22 at 17:52

0 Answers0