0

I used simple producer on Windows, but when I tried it to run on Ubuntu I got:

SSL handshake failed: error:0A000086:SSL routines::certificate verify failed: broker certificate could not be verified, verify that ssl.ca.location is correctly configured or root CA certificates are installed (install ca-certificates package) (after 5ms in state SSL_HANDSHAKE)

librdkafka docs said about ssl.ca.location:

File or directory path to CA certificate(s) for verifying the broker's key. Defaults: On Windows the system's CA certificates are automatically looked up in the Windows Root certificate store. On Linux install the distribution's ca-certificates package.

I didn't find any info how to get right certificate from Windows certificate store & transfer it to Ubuntu server. Can you help me how to get right certificate and make producer work on Ubuntu, please?

from confluent_kafka import Producer
kafka_config = {
'bootstrap.servers': 'kafka...:9092, ... , kafka:9092',
'client.id': socket.gethostname(),
'security.protocol': 'SSL',
'ssl.key.location': '/path/to/kafka-keystore.key.pem',
'ssl.key.password': '12345',
'ssl.certificate.location': '/path/to/kafka-keystore.crt.pem'
}
producer = Producer(kafka_config)
Killen
  • 21
  • 3
  • `sudo apt install ca-certificates`? – OneCricketeer Jul 13 '23 at 13:08
  • @OneCricketeer , i have no access to root and Ubuntu server has no internet connection( – Killen Jul 13 '23 at 14:07
  • Okay, then you'll need to download Ubuntu ca-certificates dpkg package from a machine that can, and copy it over... As the documentation/error says, that's a requirement – OneCricketeer Jul 13 '23 at 14:11
  • @OneCricketeer , I check `dpkg -l` and saw that ca-certificates already installed. I guess I need add ssl.ca.location with path to some cert, but I don't know how to understand which ca-cert is needed. I tried several, but them didn't fit (from ssl.certificate.location and others). – Killen Jul 13 '23 at 16:21
  • Without knowing how your cluster was setup, we cannot answer this. The server admin is the one responsible for creating certs... These settings are not required for a basic Kafka cluster with default settings – OneCricketeer Jul 13 '23 at 18:54

1 Answers1

0

I import .cer file from .jks via Keystore Explorer and put path to it in ssl.ca.location.

Killen
  • 21
  • 3