Ingress access SSL with error: unable to find valid certification path to requested target

[ledoc]

Hello everyone

i'm starting to play with kafka on kubernetes, little by little adding features and now i'm stuck on SSL access via an Ingress

I've set up a GKE cluster on GCP with a nginx ingress controller in load-balancer service and the A records towards its IP needed for DNS lookup (bootstrap.example.com, broker-{0,1,2}.example.com

I've installed operator v0.37

I've deployed this kafka:

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  labels:
    app: my-cluster
  name: my-cluster
  namespace: kafka
spec:
  kafka:
    version: 3.5.1
    replicas: 3
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls
      - name: external
        port: 9094
        type: ingress
        tls: true
        authentication:
          type: tls
        configuration:
          bootstrap:
            host: bootstrap.example.com
          brokers:
          - broker: 0
            host: broker-0.example.com
          - broker: 1
            host: broker-1.example.com
          - broker: 2
            host: broker-2.example.com
          class: nginx
    authorization:
      type: simple
    config:
      offsets.topic.replication.factor: 1
      transaction.state.log.replication.factor: 1
      transaction.state.log.min.isr: 1
      default.replication.factor: 1
      min.insync.replicas: 1
      inter.broker.protocol.version: "3.5"
    storage:
      type: jbod
      volumes:
      - id: 0
        type: persistent-claim
        size: 10Gi
        deleteClaim: false
  zookeeper:
    replicas: 1
    storage:
      type: persistent-claim
      size: 10Gi
      deleteClaim: false
  entityOperator:
    topicOperator: {}
    userOperator: {}          

I've deployed this topic:

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaTopic
metadata:
  name: my-topic
  labels:
    strimzi.io/cluster: my-cluster
spec:
  replicas: 3
  partitions: 12

I've deployed this User (god):

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
  name: my-user
  labels:
    strimzi.io/cluster: my-cluster
spec:
  authentication:
    type: tls
  authorization:
    type: simple
    acls:
      - resource:
          type: topic
          name: "*"
          patternType: literal
        operations:
          - All
      - resource:
          type: cluster
          name: "*"
          patternType: literal
        operations:
          - All  
      - resource:
          type: group
          name: "*"
          patternType: literal
        operations:
          - Read

I set up a client.properties with this little script:

CLUSTER_NAME=my-cluster-kafka
SECRET_NAME=my-user
NAMESPACE=kafka
kubectl get secret $SECRET_NAME -n $NAMESPACE -o jsonpath='{.data.user\.p12}' | base64 -d > user.p12
password_user=$(kubectl get secret $SECRET_NAME -n $NAMESPACE -o jsonpath='{.data.user\.password}' | base64 --decode)

SECRET_NAME=$CLUSTER_NAME-cluster-ca-cert

kubectl get secret $SECRET_NAME -n $NAMESPACE -o jsonpath='{.data.ca\.p12}' | base64 -d > ca.p12
password_ca=$(kubectl get secret $SECRET_NAME -n $NAMESPACE -o jsonpath='{.data.ca\.password}' | base64 -d)

# Create client.properties
cat <<EOF > client.properties
bootstrap.servers=$CLUSTER_NAME-kafka-bootstrap:9093
security.protocol=SSL
ssl.truststore.location=/tmp/ca.p12
ssl.truststore.password=$password_ca
ssl.keystore.location=/tmp/user.p12
ssl.keystore.password=$password_user
EOF

Then I tested a producer and a consumer internally in the kubenertes cluster, which worked perfectly.
producer test:

kubectl run kafka-producer -n kafka --restart='Never' --image=quay.io/strimzi/kafka:0.37.0-kafka-3.5.1 --namespace kafka --command -- sleep infinity
kubectl cp client.properties kafka/kafka-producer:/tmp/client.properties
kubectl cp ./user.p12 kafka/kafka-producer:/tmp/user.p12
kubectl cp ./ca.p12 kafka/kafka-producer:/tmp/ca.p12
kubectl exec --tty -i kafka-producer --namespace kafka -- bash

# In container
BOOTSTRAP_SERVER=my-cluster-kafka-bootstrap:9093
TOPIC="my-topic"

bin/kafka-console-producer.sh --producer.config /tmp/client.properties \
--bootstrap-server $BOOTSTRAP_SERVER --topic $TOPIC

but when I change the bootstrap-server to bootstrap.example.com, the external access with BOOTSTRAP_SERVER=bootstrap.example.com:443, I get this stacktrace:

[2023-10-04 10:03:22,369] ERROR [Consumer clientId=console-consumer, groupId=console-consumer-74360] Connection to node -1 (bootstrap.example.com/xx.xx.xx.xx:443) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2023-10-04 10:03:22,375] WARN [Consumer clientId=console-consumer, groupId=console-consumer-74360] Bootstrap broker bootstrap.example.com:443 (id: -1 rack: null) disconnected (org.apache.kafka.clients.NetworkClient)
[2023-10-04 10:03:22,388] ERROR Error processing message, terminating consumer process:  (kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
        at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:435)
        at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:523)
        at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:373)
        at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:293)
        at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178)
        at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543)
        at org.apache.kafka.common.network.Selector.poll(Selector.java:481)
        at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:571)
        at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:280)
        at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:230)
        at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:265)
        at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:240)
        at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.coordinatorUnknownAndUnreadySync(ConsumerCoordinator.java:499)
        at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:531)
        at org.apache.kafka.clients.consumer.KafkaConsumer.updateAssignmentMetadataIfNeeded(KafkaConsumer.java:1288)
        at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1247)
        at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1227)
        at kafka.tools.ConsoleConsumer$ConsumerWrapper.receive(ConsoleConsumer.scala:474)
        at kafka.tools.ConsoleConsumer$.process(ConsoleConsumer.scala:103)
        at kafka.tools.ConsoleConsumer$.run(ConsoleConsumer.scala:77)
        at kafka.tools.ConsoleConsumer$.main(ConsoleConsumer.scala:54)
        at kafka.tools.ConsoleConsumer.main(ConsoleConsumer.scala)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
        ... 30 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:127)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
        ... 35 more
Processed a total of 0 messages

I've been looking for a solution to my problem without success

And what do you see as my problem?

[scholzj]

You should check what certificate it returns. You can do it with openssl s_client for example. This might be an issue with disabled TLS Passthrough in Ingress, in which case it would return its own certificate instead of the broker certificate and cause this error.

[ledoc]

thx @scholzj
I've been reading you a lot over the last 2 days, I wish you were one of my office mates right now :)

You're right, it's the kubernetes fake :(

openssl s_client -connect bootstrap.example.com:443

CONNECTED(00000003)
depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate
   i:O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate

I have my ingress in ssl-pasthrough though

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
....

how do I "force" the use of strimzi's certificate?

[scholzj]

The Ingress annotations are fine. But you need to enable it in also in the Ingress deployment / command:

/nginx-ingress-controller
...
--enable-ssl-passthrough
...

[ledoc]

You're right again !

I didn't remember that it had to be activated in the ingress controller, I thought it was the default.

For an installation with nginx-ingress-controller helm, just add this property:

--set controller.extraArgs.enable-ssl-passthrough=""

Thanks for your responsiveness @scholzj , it's great, I'll be able to move towards a clean kafka configuration with strimzi

[scholzj]

Glad it works 👍