I got Caused by: unable to find valid certification path to requested target when i use cp-ksqldb-cli:7.4.1 to connect ksqldb server. ksqldb server start successfully, and i can use ksqldb-cli to connect ksqldb server through http protocol.
This is my cli commands
# ok
ksql http://kafka-ksqldb.kafka.svc.cluster.local:9000 --user fred --password letmein
# shows `Caused by: unable to find valid certification path to requested target`
ksql https://kafka-ksqldb.kafka.svc.cluster.local:9001 --config-file /etc/kafka-ksqldb/cli/ksql-cli.properties --user fred --password letmein
Full errors, both side
# Server side - `ksqldb-0`
[2023-08-20 04:02:31,782] ERROR Unhandled exception (io.confluent.ksql.api.server.ServerVerticle)
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:340)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:186)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
at io.netty.handler.ssl.JdkSslEngine.unwrap(JdkSslEngine.java:92)
at io.netty.handler.ssl.JdkAlpnSslEngine.unwrap(JdkAlpnSslEngine.java:163)
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:296)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1343)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1236)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1285)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:829)
# Client side
*************************************ERROR**************************************
Remote server at https://kafka-ksqldb.kafka.svc.cluster.local:9001 looks to be
configured to use HTTPS / SSL. Please refer to the KSQL documentation on how to
configure the CLI for SSL:
https://docs.ksqldb.io/en/latest/operate-and-deploy/installation/server-config/security/#configure-the-cli-for-https
The server responded with the following error:
Error issuing GET to KSQL server. path:/info
Caused by: javax.net.ssl.SSLHandshakeException: Failed to create SSL connection
Caused by: Failed to create SSL connection
Caused by: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
Caused by: unable to find valid certification path to requested target
********************************************************************************
This is my manifest
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: kafka-ksqldb
namespace: kafka
spec:
selector:
matchLabels:
app: kafka-ksqldb
serviceName: kafka-ksqldb-headless
replicas: 2
template:
metadata:
labels:
app: kafka-ksqldb
spec:
containers:
- name: kafka-ksqldb
image: confluentinc/cp-ksqldb-server:7.4.1
env:
- name: CUB_CLASSPATH
value: "/usr/share/java/confluent-security/ksql/*:/usr/share/java/ksqldb-server/*:/usr/share/java/cp-base-new/*"
- name: KSQL_LOG4J_ROOT_LOGLEVEL
value: INFO
- name: KSQL_KSQL_SERVICE_ID
value: ksql-cluster
- name: KSQL_KSQL_STREAMS_REPLICATION_FACTOR
value: "2"
- name: KSQL_KSQL_INTERNAL_TOPIC_REPLICAS
value: "2"
- name: KSQL_KSQL_LOGGING_PROCESSING_TOPIC_REPLICATION_FACTOR
value: "2"
- name: KSQL_KSQL_LOGGING_PROCESSING_TOPIC_AUTO_CREATE
value: "true"
- name: KSQL_KSQL_LOGGING_PROCESSING_STREAM_AUTO_CREATE
value: "true"
- name: KSQL_PRODUCER_ENABLE_IDEMPOTENCE
value: "true"
- name: KSQL_BOOTSTRAP_SERVERS
value: kafka.kafka.svc.cluster.local:9092
- name: KSQL_HOST_NAME
value: kafka-ksqldb.kafka.svc.cluster.local
- name: KSQL_LISTENERS
value: http://0.0.0.0:9000,https://0.0.0.0:9001
- name: KSQL_CACHE_MAX_BYTES_BUFFERING
value: "0"
# High availability
- name: KSQL_KSQL_STREAMS_NUM_STANDBY_REPLICAS
value: "1"
- name: KSQL_KSQL_QUERY_PULL_ENABLE_STANDBY_READS
value: "true"
- name: KSQL_KSQL_HEARTBEAT_ENABLE
value: "true"
- name: KSQL_KSQL_LAG_REPORTING_ENABLE
value: "true"
# Authenticate to brokers and Server SSL
- name: KSQL_SSL_TRUSTSTORE_LOCATION
value: /etc/kafka-ksqldb/certs/truststore.jks
- name: KSQL_SSL_TRUSTSTORE_PASSWORD
value: root_certs
- name: KSQL_SSL_KEYSTORE_LOCATION
value: /etc/kafka-ksqldb/certs/keystore.jks
- name: KSQL_SSL_KEYSTORE_PASSWORD
value: kafka-ecosystem-certs
- name: KSQL_SSL_KEY_PASSWORD
value: kafka-ecosystem-certs
- name: KSQL_SSL_ENABLED_PROTOCOLS
value: "TLSv1.3,TLSv1.2,TLSv1.1"
- name: KSQL_SSL_CLIENT_AUTHENTICATION
value: REQUESTED
# KSQL BASIC Auth
- name: KSQL_AUTHENTICATION_METHOD
value: BASIC
- name: KSQL_AUTHENTICATION_REALM
value: KsqlServer-Props
- name: KSQL_AUTHENTICATION_ROLES
value: admin,developer # "**"
- name: KSQL_OPTS
value: -Djava.security.auth.login.config=/etc/kafka-ksqldb/jaas/jaas_config.conf
# Schema Registry using HTTPS
- name: KSQL_KSQL_SCHEMA_REGISTRY_URL
value: https://kafka-schema-registry.kafka.svc.cluster.local:8080
- name: KSQL_KSQL_SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION
value: "/etc/kafka-ksqldb/certs/truststore.jks"
- name: KSQL_KSQL_SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD
value: root_certs
# Enable Auth for ksqlDB's embedded Kafka clients that access and manage consumer groups and topics
- name: KSQL_SECURITY_PROTOCOL
value: SASL_SSL
- name: KSQL_SASL_MECHANISM
value: PLAIN
- name: KSQL_SASL_JAAS_CONFIG
value: |
org.apache.kafka.common.security.plain.PlainLoginModule required \
username="superuser" \
password="lr6bVWK";
resources:
limits:
memory: "2Gi"
cpu: "500m"
ports:
- name: ksqldb-http
containerPort: 9000
- name: ksqldb-https
containerPort: 9001
volumeMounts:
- name: ksqldb-secret
mountPath: /etc/kafka-ksqldb/certs/
readOnly: true
- name: ksqldb-auth-config
mountPath: /etc/kafka-ksqldb/jaas/
readOnly: true
volumes:
- name: ksqldb-secret
secret:
secretName: kafka-ksqldb-secret
- name: ksqldb-auth-config
configMap:
name: kafka-ksqldb-auth-config