Kafka multi-node cluster mTLS wildcard capability

Ops Containers
1

Hi all,

I’m trying to use the same wild-card certificate for all three brokers for inter broker connection, but it’s not working. My implementation is implemented locally using docker. Anyone knows whether this is feasible or not? If it is, please provide an example, or point out the error. Thank you!

For docker-compose, I’m using this: cp-docker-images/docker-compose.yml at 5.1.0-post · confluentinc/cp-docker-images (github.com)

My steps for generating the certificate:

openssl req -new -x509 -keyout snakeoil-ca-1.key -out snakeoil-ca-1.crt -days 365 -subj ‘/CN=*.test.confluent.io/OU=TEST/O=CONFLUENT/L=PaloAlto/S=Ca/C=US’ -passin pass:confluent -passout pass:confluent

keytool -genkey -noprompt -alias broker -dname “CN=*.test.confluent.io, OU=TEST, O=CONFLUENT, L=PaloAlto, S=Ca, C=US” -keystore kafka.broker.keystore.jks -keyalg RSA -storepass confluent -keypass confluent

keytool -keystore kafka.broker.keystore.jks -alias broker -certreq -file “broker.csr” -storepass confluent -keypass confluent

openssl x509 -req -CA snakeoil-ca-1.crt -CAkey snakeoil-ca-1.key -in “broker.csr” -out “broker-ca1-signed.crt” -days 9999 -CAcreateserial -passin pass:confluent -extensions kafka_ca_extensions -extfile ./openssl.cnf

keytool -keystore kafka.broker.keystore.jks -alias CARoot -import -file snakeoil-ca-1.crt -storepass confluent -keypass confluent

keytool -keystore kafka.broker.keystore.jks -alias broker -import -file “broker-ca1-signed.crt” -storepass confluent -keypass confluent

keytool -keystore kafka.broker.truststore.jks -alias CARoot -import -file snakeoil-ca-1.crt -storepass confluent -keypass confluent

openssl.cnf is like this below:
[ kafka_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
subjectAltName = @kafka_alt_names

[ kafka_alt_names ]
DNS.1 = test.confluent.io
DNS.2 = *.test.confluent.io

Here’s the error from docker:

Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)

org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings.