SSL handshake failed

[nvnk3]

Hello,

I have installed amq-streams operator in openshift, and also configured listener with route and tls on 9094, and also using custom certificate and key in brokerCertChainAndKey section, and made generateCertificateAuthority: false for clientsCa.

I also created clientCa like below ( I used the same key and crt that I used in brokerCertChainAndKey for testing.)

When I try to connect from Aws lamba kafka client, I added certificate and privateKey in this section "Secrets Manager key" and root ca in this section "Encryption" like it showed in the below image.

Now aws kafka client shows this msg:

PROBLEM: Server failed to authenticate Lambda or Lambda failed to authenticate server.

Can you please help me to debug this further? I'm also pasting kafka and kafkaUser resources

[scholzj]

I have no idea about how is your client configured or how does it work. You should probably start with the regular Kafka Java Consumer / Producer APIs as they are well known. It is also not really clear how you actually create the user certificate or how you configure the certificates in your client. So I think you will need to go into a bit more detail to explain what and how you do.

[nvnk3]

[scholzj]

I think you still need to properly describe what you did on the Kafka side and how did you created the Kafka user etc.

[scholzj]

You should also share how you configure the client.

[nvnk3]

[scholzj]

I generated kafka.client.keystore.jks and kafka.client.truststore.jks using certificate and key used in brokerCertChainAndKey in the Kafka resource yaml along with root CA for testing.

The user certificate / keystore has to be a certificate signed by the Clients CA. It has nothing to do with the listener server certificate.

You can find the KafkaUser yaml below, since I'm using custom certificates, I used authentication type as tls-external, so it won't generate any user certificates.

That does not answer the question about how you generated the certificate. This certificate is what you need to use in the keystore. It also should have in the subject only the common name with the name of the KafkaUser. So CN=vcosmq. You do not have such certificate in your client log.

[nvnk3]

[scholzj]

I'm afraid I cannot really answer that. Could be somethinf else is using the consumer group? The messages are already consumed and committed? That is hard to say.