can i use lets encrypt or my pki as cluster and clients CA?

[sorushsaghari]

Hello as you have explained in this documetn:
https://strimzi.io/docs/operators/latest/configuring.html#installing-your-own-ca-certificates-str
i can use letsencrpy or an ca as cluster and clients ca but in this issue:
#2295
you have explained that we are just able to use it as external listener wildcard ca.

plus while trying to replace cluster ca with letsencrypt as tls.crt and tls.key zookeeper crashesh with this err:

Detected Zookeeper ID 3
Preparing truststore
Adding /opt/kafka/cluster-ca-certs/ca.crt to truststore /tmp/zookeeper/cluster.truststore.p12 with alias ca
Certificate was added to keystore
Preparing truststore is complete
Looking for the right CA
No CA found. Thus exiting.

[scholzj]

The docs do not suggest anything about using Let's Encrypt as the Cluster CA. Public CAs such as Let's Encrypt are unsuitable for such task because they cannot secure internal domain names within your Kubernetes cluster. If you want to use Let's Encrypt, you normally use it for the listener certificate with some external listener.

[sorushsaghari]

thanks for your answer.
now the question is that how can i add a CA created by my PKI or simply by an Openssl command for test, that Zookeper dosent throw this execption?

[scholzj]

If it is your private PKI, then follow the docs for configuring a custom CA.

[sorushsaghari]

plus i have tested the listener certificate but i have tls handshake err. could you please guide me to debug it ?

SocketServer listenerType=ZK_BROKER, nodeId=0] Failed authentication with /10.0.33.152 (SSL handshake failed) (org.apache.kafka.common.network.Selector) [data-plane-kafka-network-thread-0-ListenerName(EXTERNAL-9094)-SASL_SSL-8]

kafka manifest:

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
spec:
  kafka:
    version: 3.0.0
    replicas: 3
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: external
        port: 9094
        type: nodeport
        tls: true
        authentication:
          type: scram-sha-512
        configuration:
          brokerCertChainAndKey:
            certificate: tls.crt
            key: tls.key
            secretName: domainsecret
          brokers:
            - broker: 0
              advertisedHost: domain0
              advertisedPort: 31775
            - broker: 1
              advertisedHost: domain1
              advertisedPort: 31629
            - broker: 2
              advertisedHost: domain2
              advertisedPort: 31852
    config:
      auto.create.topics.enable: false
      inter.broker.protocol.version: "3.0"
      log.message.format.version: "3.0"
      offsets.topic.replication.factor: 3
      transaction.state.log.min.isr: 2
      transaction.state.log.replication.factor: 3
    storage:
      class: rawfile-1
      deleteClaim: true
      size: 5Gi
      type: persistent-claim
    authorization:
      type: simple
    jvmOptions:
      -Xms: 2048m
      -Xmx: 2048m
    resources:
      limits:
        cpu: "2"
        ephemeral-storage: 2Gi
        memory: 4Gi
      requests:
        cpu: "2"
        ephemeral-storage: 2Gi
        memory: 4Gi
    metricsConfig:
      type: jmxPrometheusExporter
      valueFrom:
        configMapKeyRef:
          key: kafka-metrics-config.yml
          name: test-auth-kafka-config
    template:
      pod:
        affinity:
          nodeAffinity: {}
          podAntiAffinity:
            preferredDuringSchedulingIgnoredDuringExecution:
              - podAffinityTerm:
                  labelSelector:
                    matchLabels:
                      strimzi.io/cluster: test-auth-kafka-cluster
                      strimzi.io/name: test-auth-kafka-cluster-kafka
                  topologyKey: kubernetes.io/hostname
                weight: 100
        tolerations:
          - effect: NoSchedule
            key: nodepool
            operator: Equal
            value: ""
  zookeeper:
    replicas: 3
    storage:
      class: rawfile-1
      deleteClaim: true
      size: 2Gi
      type: persistent-claim
    metricsConfig:
      type: jmxPrometheusExporter
      valueFrom:
        configMapKeyRef:
          key: zookeeper-metrics-config.yml
          name: test-auth-kafka-config
    template:
      pod:
        affinity:
          podAntiAffinity:
            preferredDuringSchedulingIgnoredDuringExecution:
              - podAffinityTerm:
                  labelSelector:
                    matchLabels:
                      strimzi.io/cluster: test-auth-kafka-cluster
                      strimzi.io/name: test-auth-kafka-cluster-zookeeper
                  topologyKey: kubernetes.io/hostname
                weight: 100
  entityOperator:
    topicOperator: {}
    userOperator: {}
  kafkaExporter:
    groupRegex: .*
    topicRegex: .*
metadata:
  name: test-auth-kafka-cluster
  namespace: test

[scholzj]

That suggests your client is misconfigured or does not trust the certificate you configured there.

[sorushsaghari]

thanks for your answer. listener tls worked an the problem was with client config.
i still have problem with the pki and cluster CA. i still have the same err