Replies: 4 comments 5 replies
-
Can you please describe exactly what and how did you do? It is for example not clear where did you added the certificate, where do you see it, what is the configuration of your Kafka custom resource etc. |
Beta Was this translation helpful? Give feedback.
-
thanks for the response, here is step by step what am I doing.
I did kubectl edit secrets dataflow-westus-clients-ca-cert and added ultimarc-ut-ca: to it. below is the updated secrets yaml file. after that, I run the below command to restart Kafka. kubectl annotate statefulset dataflow-westus-kafka strimzi.io/manual-rolling-update=true ++++++++++++update client-ca-cert file +++++++++++++++++++
======= post this I tried to check the certificate at Kafka using the below command. I find the newly added certificate is not in the acceptable certificate list. openssl s_client -debug -connect kafka.dataflow.iot.att.com:443 |
Beta Was this translation helpful? Give feedback.
-
Customer is external. Consumer get the signed certificate for us. In this case customer has signed certificate from the “let’s encrypt”. They have given us chain.
From: Jakub Scholz ***@***.***>
Sent: 03 May 2021 14:24
To: strimzi/strimzi-kafka-operator ***@***.***>
Cc: Mukesh Kumar Arya <[email protected]>; Manual ***@***.***>
Subject: Re: [strimzi/strimzi-kafka-operator] added certificate is not in acceptable certificate list (#4875)
PS: On the beginning you said that you offer our client to bring their own certificate. Who are the clients here? As in customers or some other external entities? If that is the case, how do you control that the CAs you add there sign only the right certificates?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<https://ind01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fstrimzi%2Fstrimzi-kafka-operator%2Fdiscussions%2F4875%23discussioncomment-687018&data=04%7C01%7Cma0c88899%40techmahindra.com%7C981f5a9719224335483a08d90e110041%7Cedf442f5b9944c86a131b42b03a16c95%7C0%7C0%7C637556288445134335%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=0F2Zwjq5nNwjebM2IL4ZY5yc3%2BRNW8GiADKoe12rfOY%3D&reserved=0>, or unsubscribe<https://ind01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FASZYW5DMGLCFYWXPCWVAJFDTLZQCRANCNFSM436GJKUQ&data=04%7C01%7Cma0c88899%40techmahindra.com%7C981f5a9719224335483a08d90e110041%7Cedf442f5b9944c86a131b42b03a16c95%7C0%7C0%7C637556288445144330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dKFRq7PMGwd2fGlLEHA8Fys5pAj%2Fyff7sJm%2BNDwvkYw%3D&reserved=0>.
Caution: Please do not click links or open attachments unless you recognize the sender and know the content is safe.
============================================================================================================================ Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html externally http://tim.techmahindra.com/tim/disclaimer.html internally within TechMahindra. ============================================================================================================================
|
Beta Was this translation helpful? Give feedback.
-
problem is still not resolved. does stremzi do paid professional service or support? |
Beta Was this translation helpful? Give feedback.
-
I added the below certificate to the secret and restarted Kafka. I can see that the certificate is loaded in the directory in kafka pod. however, when I do below, it is not in the acceptable certificate list:
=====================
openssl s_client -debug -connect kafka.dataflow.iot.att.com:443
Acceptable client certificate CA names
O = io.strimzi, CN = clients-ca v0
C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Assured ID CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
where can I see the log of certificate import to Kafka server truststore.
attached is the K8 scerets.
======================
here is the certificate chain that I am trying to import to Kafka server truststore.
-----BEGIN CERTIFICATE-----
MIIFNTCCBB2gAwIBAgISBLn6ObYdlssXgy9wQLssHxo+MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA0MDUyMTIxNTdaFw0yMTA3MDQyMTIxNTdaMCIxIDAeBgNVBAMT
F2V4dC1rYWYudXRpbGltYXJjLnRvb2xzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAqHCW/kQCHrEXwzu/psnu1ZEXbJN1XYtA/K6UHK3/xersHqUklWHL
6jc8Yost1RDPMXjm8fTaJW3ERAd2u3hEQofJGvlVoNyLaIjYaY27tRvBh1EBNpxC
HnBIIdkETl0Of4OPTgXos9a2U2nu3BwVAX92PkLEeii5T/aXmNuPerLqxXifmGw3
DiKEg4io/2xUUs1b92pl0Yzt4PgluRK4miuiIay7p9/wQglwMWRZGCJ+feSQFWD5
KffoINyF0pE4XvkxSWei2eO3b1Ji4orNf7Vct1EOt9th8mZOgziRzZoqXH1iNAEQ
+BDPxJgO6DTyZSBGDie8zVphHrTgroTbSwIDAQABo4ICUzCCAk8wDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8E
AjAAMB0GA1UdDgQWBBT4e5LRMAAoDDx+ExfPO2+bgrtTwTAfBgNVHSMEGDAWgBQU
LrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGG
FWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmku
bGVuY3Iub3JnLzAiBgNVHREEGzAZghdleHQta2FmLnV0aWxpbWFyYy50b29sczBM
BgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYE
gfMA8QB3AESUZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABeKQg0qMA
AAQDAEgwRgIhAPSVx3M3E4JcJ3EtGUuWVH2gvhk9cvrK58ua2WeinLuBAiEApCd0
8Qu4pvl/CfORjmJZxlwsLrIhoO3Lpr9JAH54shwAdgB9PvL4j/+IVWgkwsDKnlKJ
eSvFDngJfy5ql2iZfiLw1wAAAXikINK5AAAEAwBHMEUCIDqR69squI2+zevRMHFI
AMgjCtuDQPW0pNcmcAwE3yEUAiEA4DD/todAbktTAHH0UBkczXtuQ8Q+pWJ6TxuP
0Wt1bNcwDQYJKoZIhvcNAQELBQADggEBAANfGpXeDpQScZKxmFxr6QYU3UpcKan4
RxTxLvpM7xAL2I+AoAwLVOCBaF03zRPlkz1vwN0ZIIoqcGHSJN9QUEQ5W7UiW0CO
vAm8x4xUu0RmxJQGGzZ95Gt53hmPvtt/hC1tApM7yVKKYVq8cFUbRX0WaJeRVv7U
pxYhrUDPJu+pY+j7ZpMVhyFQxq3ZFRTeeOcReA0vwLrTtx6GP7OQZur9b3YPaixq
fLPKz+c6pU0O4OT7uEut17NmnboQlVV5whcdCVogbSrMsYVFSNgWFWjGOMXAykwE
zv/AgGIJ6brqoPapDelOynY05G2qeUuu33Fm8d/XTOmlxeAHfJOHiEk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
Beta Was this translation helpful? Give feedback.
All reactions