Hi,
Filename and credentials are set in the example config you provide which I used ( kafka/docker/examples/docker-compose-files/cluster/isolated/ssl/docker-compose.yml at 88f0440066771202b9d6c979d6c45e806971d77d · confluentinc/kafka · GitHub)
This very discrepancy between examples and documentaion is what makes this so confusing and hard to follow 
I explicitly set my keystore to be located at /etc/kafka/secrets/ because thats what the example did.
I had relative paths before, but happy to try again with absolute ones. 
Re SSL - I will give that a try too, but then I have to wonder why is that not set in the first place in a SSL example?
Thanks
Edit1
When I provide the location with
-e KAFKA_SSL_TRUSTSTORE_LOCATION='/etc/kafka/secrets/truststore_int.pfx' \
it basically behaves like when I dont provide the location at all (since its now looking at /etc/kafka/secrets//etc/kafka/secrets/truststore_int.pfx which does not exist.
The error I am getting then is:
the trustAnchors parameter must be non-empty for configuration
[2025-01-07 07:55:23,477] INFO [BrokerServer id=4] Transition from STARTING to STARTED (kafka.server.BrokerServer)
[2025-01-07 07:55:23,479] ERROR [BrokerServer id=4] Fatal error during broker startup. Prepare to shutdown (kafka.server.BrokerServer)
org.apache.kafka.common.config.ConfigException: Invalid value java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty for configuration A client SSLEngine created with the provided settings can’t connect to a server SSLEngine created with those settings.
at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:103)
at org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:70)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:192)
at org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:107)
at kafka.network.Processor.(SocketServer.scala:977)
at kafka.network.Acceptor.newProcessor(SocketServer.scala:882)
at kafka.network.Acceptor.$anonfun$addProcessors$1(SocketServer.scala:852)
at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:190)
at kafka.network.Acceptor.addProcessors(SocketServer.scala:851)
at kafka.network.DataPlaneAcceptor.configure(SocketServer.scala:525)
at kafka.network.SocketServer.createDataPlaneAcceptorAndProcessors(SocketServer.scala:253)
at kafka.network.SocketServer.$anonfun$new$31(SocketServer.scala:177)
at kafka.network.SocketServer.$anonfun$new$31$adapted(SocketServer.scala:177)
at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:619)
at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:617)
at scala.collection.AbstractIterable.foreach(Iterable.scala:935)
at kafka.network.SocketServer.(SocketServer.scala:177)
at kafka.server.BrokerServer.startup(BrokerServer.scala:253)
at kafka.server.KafkaRaftServer.$anonfun$startup$2(KafkaRaftServer.scala:97)
at kafka.server.KafkaRaftServer.$anonfun$startup$2$adapted(KafkaRaftServer.scala:97)
at scala.Option.foreach(Option.scala:437)
at kafka.server.KafkaRaftServer.startup(KafkaRaftServer.scala:97)
at kafka.Kafka$.main(Kafka.scala:112)
at kafka.Kafka.main(Kafka.scala)
[2025-01-07 07:55:23,484] INFO [BrokerServer id=4] Transition from STARTED to SHUTTING_DOWN (kafka.server.BrokerServer)
which I read at “Can’t find truststore” which is why I added location.
Now, when followin the linked general documentation on how to set up SSL
ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password=test1234
ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
It errors out right away with
===> User
uid=1000(appuser) gid=1000(appuser) groups=1000(appuser)
===> Configuring ...
Running in KRaft mode...
SSL is enabled.
KAFKA_SSL_KEYSTORE_FILENAME is required.
Command [/usr/local/bin/dub ensure KAFKA_SSL_KEYSTORE_FILENAME] FAILED !
I then add the filename, only to get
===> User
uid=1000(appuser) gid=1000(appuser) groups=1000(appuser)
===> Configuring ...
Running in KRaft mode...
SSL is enabled.
KAFKA_SSL_KEY_CREDENTIALS is required.
Command [/usr/local/bin/dub ensure KAFKA_SSL_KEY_CREDENTIALS] FAILED !
And that goes on to KAFKA_SSL_KEYSTORE_CREDENTIALS, which then turns to
the same issue we were before
java.nio.file.NoSuchFileException: truststore_int.pfx
[2025-01-07 08:10:38,781] ERROR Exiting Kafka due to fatal exception during startup. (kafka.Kafka$)
org.apache.kafka.common.KafkaException: Failed to load SSL keystore truststore_int.pfx of type PKCS12
at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.load(DefaultSslEngineFactory.java:382)
at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.(DefaultSslEngineFactory.java:354)
at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.createTruststore(DefaultSslEngineFactory.java:327)
at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.configure(DefaultSslEngineFactory.java:171)
at org.apache.kafka.common.security.ssl.SslFactory.instantiateSslEngineFactory(SslFactory.java:141)
at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:98)
at org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:70)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:192)
at org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:107)
at kafka.network.Processor.(SocketServer.scala:977)
at kafka.network.Acceptor.newProcessor(SocketServer.scala:882)
at kafka.network.Acceptor.$anonfun$addProcessors$1(SocketServer.scala:852)
at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:190)
at kafka.network.Acceptor.addProcessors(SocketServer.scala:851)
at kafka.network.DataPlaneAcceptor.configure(SocketServer.scala:525)
at kafka.network.SocketServer.createDataPlaneAcceptorAndProcessors(SocketServer.scala:253)
at kafka.network.SocketServer.$anonfun$new$31(SocketServer.scala:177)
at kafka.network.SocketServer.$anonfun$new$31$adapted(SocketServer.scala:177)
at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:619)
at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:617)
at scala.collection.AbstractIterable.foreach(Iterable.scala:935)
at kafka.network.SocketServer.(SocketServer.scala:177)
at kafka.server.BrokerServer.startup(BrokerServer.scala:253)
at kafka.server.KafkaRaftServer.$anonfun$startup$2(KafkaRaftServer.scala:97)
at kafka.server.KafkaRaftServer.$anonfun$startup$2$adapted(KafkaRaftServer.scala:97)
at scala.Option.foreach(Option.scala:437)
at kafka.server.KafkaRaftServer.startup(KafkaRaftServer.scala:97)
at kafka.Kafka$.main(Kafka.scala:112)
at kafka.Kafka.main(Kafka.scala)
Caused by: java.nio.file.NoSuchFileException: truststore_int.pfx
at java.base/sun.nio.fs.UnixException.translateToIOException(Unknown Source)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(Unknown Source)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(Unknown Source)
at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(Unknown Source)
at java.base/java.nio.file.Files.newByteChannel(Unknown Source)
at java.base/java.nio.file.Files.newByteChannel(Unknown Source)
at java.base/java.nio.file.spi.FileSystemProvider.newInputStream(Unknown Source)
at java.base/java.nio.file.Files.newInputStream(Unknown Source)
at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.load(DefaultSslEngineFactory.java:375)
… 28 more
Edit2:
Wrt to Controller SSL -
Now the example does not provide a KAFKA_LISTENER_SECURITY_PROTOCOL_MAP for the controller at all.
Do you want me add that variable there or adjust the one in the kafka config ?
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP='CONTROLLER:SSL,PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT'
But how would the controller then know its supposed to accept SSL?
