Cluster Linking - Certificate Update

trevorwebster · 3 July 2024 19:49

Good day,

Im attempting to update a cluster link as the certificate will expire at some point. The PEM file we add in the updatecert.txt has the old and new cert, effectively allowing a seamless switchover.

Using the CLI. and the below command. We update the link , no errors.
confluent kafka link configuration update LINK-NAME --config updatecert.txt --cluster lkc-XXXXXXX

The cluster link is updated, then a few minutes after, goes into a UNAVAILABLE State.

The updatecert.txt has two parameters following the documentation from the below link. the certs are formatted onto a single line.
ssl.truststore.type=PEM
ssl.truststore.certificates=

Security Considerations for Cluster Linking on Confluent Cloud | Confluent Documentation

Question: Has anyone uploaded via cli a config file with the PEM formatted to a single line? If so, how did you format the file?

mmuehlbeyer · 4 July 2024 09:35

basically it should be something

ssl.truststore.certificates= -----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgIEHIu+WzANBgkqhkiG9w0BAQsFADBbMScwJQYDVQQDDB5SZWdlcnkgU2Vs
Zi1TaWduZWQgQ2VydGlmaWNhdGUxIzAhBgNVBAoMGlJlZ2VyeSwgaHR0cHM6Ly9yZWdlcnkuY29t
MQswCQYDVQQGEwJVQTAgFw0yNDA3MDQwMDAwMDBaGA8yMTI0MDcwNDA5MzMyNVowRzETMBEGA1UE
AwwKZGVtb2NsLmNvbTEjMCEGA1UECgwaUmVnZXJ5LCBodHRwczovL3JlZ2VyeS5jb20xCzAJBgNV
BAYTAlVBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm5RSPYa6dn+7KwjIw1G0UlH/
jvCPmVxJ4VZDVD9nI4+ZtFpdATMp+q2sW8wllWRMtFZTZPtzDA/N+nH33eOJLf1mgYaJfyuzt3FL
crBKpeRLjOIYdmdfR4OqyuFowosuwuaGDaw4b9dRFlk6kMszgdC9/GgZme6XgXAbjWbmWZneoDPA
OFpHXNz1W1Gd4qEGa2r/dUX2Wa/wdgWFJ94n0d2xsD0Fc/YkJwmcWiYan4EhEMhprrWm30G43VK1
2ptFn3pkiW6/9AmBfwxd2MeRaKqeHbmKy4132GWRrjYa8pvCnjsChabc7ZkHKY6o/46UNwGsrLXg
LPIDLPKwOckHfwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNV
HQ4EFgQUxALw2rofk6SCFSIKkbexTn3poMEwHwYDVR0jBBgwFoAUxALw2rofk6SCFSIKkbexTn3p
oMEwDQYJKoZIhvcNAQELBQADggEBAJLIl2InKmpk3CWhd/0HBuw5WDjh44PUj9BtSxDgK9srOO5V
46wM3rqCR4Ezc6Xd2+BNh6U8tfCVFVrsaq7KGTMVn8WFrEaM/0dh5zVgYFuhdbj7YBr82zIAX2CX
IbvBCVq3EIUfckfuCYJb8MBQK/fRAnPcHlYOCrVUZ5CTItKjymjrGRsQwpe9muL1T6XM1GLRtq5r
Ci5FO/vbkIXWTCRlq/C5twLXKjYQw1AKZKm4s2JmxEzuOuZfAMgJIrPhIQwWn2s0Z4rUJEwBlOYe
CS3qB+d9gajPzPvszNQ4fOwD2lYHg3wl7wfIhAnah94pXcz3OCygCWrv4+qjSIs3cPY= 
-----END CERTIFICATE-----

see the blanks before the “beging and end certificate”

trevorwebster · 12 July 2024 11:41

Thanks for the feedback, will try with the space before aswell. The documentation looks like so

and then we also have two certs in the file. so wondering if just a formatting thing

trevorwebster · 26 August 2024 09:15

To close the loop here, after a lot of escalating it was identified as a bug only on the confluent cloud cli.

As discussed, you have updated upgraded the confluent cli to latest version(current latest version is 4.0.0) and use /n for new lines. You can succesfully update the link configs with ssl.truststore.certificates containing multi certs

system · 2 September 2024 09:16

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pem Certificate strings to connect to Kafka in .Net client Clients	1	2218	25 March 2024
How to Replace Expired SSL certificates in Confluent Kafka Production Cluster without any downtime Clients	1	8034	16 February 2021
Broker SSL Issue Confluent Cloud	0	947	6 January 2024
SSL Certificate for Kafka running in Confluent Cloud Confluent Cloud	1	2003	14 December 2023
HTTP SINK SSL configuration question Confluent Cloud	0	2857	19 May 2022

Cluster Linking - Certificate Update

Related topics