Azure AKS nginx SSL handshake error

[roman5595]

Hi, we are running kafka cluster deployed with strimzi operator on Azure AKS cluster.
I need to create access outside of k8s cluster for dev team, so I obtained ca.crt and created truststore like so :

kubectl get secret cluster-name-cluster-ca-cert -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
keytool -import -trustcacerts -alias root -file ca.crt -keystore truststore.jks -storepass password -noprompt

When I use this truststore.jks in my offset explorer, im getting SSL Handshake error :

DEBUG LOG :

18:26:02.919 [kafka-admin-client-thread | adminclient-1] INFO  org.apache.kafka.common.network.Selector - [AdminClient clientId=adminclient-1] Failed authentication with b1.kafka.prosoft.local/20.229.254.148 (SSL handshake failed)
18:26:02.919 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.NetworkClient - [AdminClient clientId=adminclient-1] Node -1 disconnected.
18:26:02.919 [kafka-admin-client-thread | adminclient-1] WARN  org.apache.kafka.clients.admin.internals.AdminMetadataManager - [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165) ~[?:1.8.0_232]
	at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) ~[?:1.8.0_232]
	at org.apache.kafka.common.network.SslTransportLayer.handshakeWrap(SslTransportLayer.java:448) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:313) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:170) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.poll(Selector.java:483) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:540) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1196) ~[kafka-clients.jar:?]
	at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_232]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) ~[?:1.8.0_232]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) ~[?:1.8.0_232]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:1.8.0_232]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:1.8.0_232]
	at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:402) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:484) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:340) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:170) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.poll(Selector.java:483) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:540) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1196) ~[kafka-clients.jar:?]
	at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_232]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) ~[?:1.8.0_232]
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:1.8.0_232]
	at sun.security.validator.Validator.validate(Validator.java:262) ~[?:1.8.0_232]
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330) ~[?:1.8.0_232]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:289) ~[?:1.8.0_232]
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:1.8.0_232]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626) ~[?:1.8.0_232]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:1.8.0_232]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_232]

Here is Kafka config :

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  annotations:
  generation: 7
  name: xxx-cluster
  namespace: kafka
spec:
  entityOperator:
    topicOperator: {}
    userOperator: {}
  kafka:
    config:
      log.message.format.version: "3.1"
      offsets.topic.replication.factor: 3
      transaction.state.log.min.isr: 2
      transaction.state.log.replication.factor: 3
    listeners:
    - name: plain
      port: 9092
      tls: false
      type: internal
    - name: tls
      port: 9093
      tls: true
      type: internal
    - authentication:
        type: tls
      configuration:
        bootstrap:
          host: bootstrap.kafka.xxx.local
        brokerCertChainAndKey:
          certificate: user.crt
          key: user.key
          secretName: external-connect
        brokers:
        - broker: 0
          host: b0.kafka.xxx.local
        - broker: 1
          host: b1.kafka.xxx.local
        - broker: 2
          host: b2.kafka.xxx.local
        class: nginx
      name: external
      port: 9095
      tls: true
      type: ingress
    metricsConfig:
      type: jmxPrometheusExporter
      valueFrom:
        configMapKeyRef:
          key: xxx-cluster-kafka-jmx-exporter-configuration.yaml
          name: xxx-cluster-kafka-jmx-exporter-configuration
    replicas: 3
    storage:
      type: jbod
      volumes:
      - id: 0
        size: 15Gi
        type: persistent-claim
    template:
      pod:
        affinity:
          podAntiAffinity:
            preferredDuringSchedulingIgnoredDuringExecution:
            - podAffinityTerm:
                labelSelector:
                  matchExpressions:
                  - key: strimzi.io/name
                    operator: In
                    values:
                    - xxx-cluster-kafka
                topologyKey: topology.kubernetes.io/zone
              weight: 1
    version: 3.1.0
  kafkaExporter: {}

Here is Kafka user :

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
  annotations:
  generation: 5
  labels:
    strimzi.io/cluster: xxx-cluster
  name: external-connect
  namespace: kafka
spec:
  authentication:
    type: tls
status:
  conditions:
    status: "True"
    type: Ready
  observedGeneration: 5
  secret: external-connect
  username: CN=external-connect

Here is Listeners config :

##########
# Common listener configuration
##########
listeners=CONTROLPLANE-9090://0.0.0.0:9090,REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092,TLS-9093://0.0.0.0:9093,EXTERNAL-9095://0.0.0.0:9095
advertised.listeners=CONTROLPLANE-9090://xxx-cluster-kafka-1.xxx-cluster-kafka-brokers.kafka.svc:9090,REPLICATION-9091://xxx-cluster-kafka-1.xxx-cluster-kafka-brokers.kafka.svc:9091,
PLAIN-9092://xxx-cluster-kafka-1.xxx-cluster-kafka-brokers.kafka.svc:9092,TLS-9093://xxx-cluster-kafka-1.xxx-cluster-kafka-brokers.kafka.svc:9093,EXTERNAL-9095://b1.kafka.xxx.local:443
listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,PLAIN-9092:PLAINTEXT,TLS-9093:SSL,EXTERNAL-9095:SSL
control.plane.listener.name=CONTROLPLANE-9090
inter.broker.listener.name=REPLICATION-9091
sasl.enabled.mechanisms=
ssl.secure.random.implementation=SHA1PRNG
ssl.endpoint.identification.algorithm=HTTPS

##########
# Listener configuration: EXTERNAL-9095
##########
listener.name.external-9095.ssl.client.auth=required
listener.name.external-9095.ssl.truststore.location=/tmp/kafka/clients.truststore.p12
listener.name.external-9095.ssl.truststore.password=${CERTS_STORE_PASSWORD}
listener.name.external-9095.ssl.truststore.type=PKCS12

listener.name.external-9095.ssl.keystore.location=/tmp/kafka/custom-external-9095.keystore.p12
listener.name.external-9095.ssl.keystore.password=${CERTS_STORE_PASSWORD}
listener.name.external-9095.ssl.keystore.type=PKCS12

Here is ingress for for external access :

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  generation: 5
  labels:
    app.kubernetes.io/instance: xxx-cluster
    app.kubernetes.io/managed-by: strimzi-cluster-operator
    app.kubernetes.io/name: kafka
    app.kubernetes.io/part-of: strimzi-xxx-cluster
    strimzi.io/cluster: xxx-cluster
    strimzi.io/kind: Kafka
    strimzi.io/name: xxx-cluster-kafka
  name: xxx-cluster-kafka-external-bootstrap
  namespace: kafka
  ownerReferences:
  - apiVersion: kafka.strimzi.io/v1beta2
    blockOwnerDeletion: false
    controller: false
    kind: Kafka
    name: xxx-cluster
spec:
  ingressClassName: nginx
  rules:
  - host: bootstrap.kafka.xxx.local
    http:
      paths:
      - backend:
          service:
            name: xxx-cluster-kafka-external-bootstrap
            port:
              number: 9095
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - bootstrap.kafka.xxx.local
status:
  loadBalancer:
    ingress:
    - ip: <IP_ADDRESS>

Generated Secret for external-connect(KafkaUser) :

apiVersion: v1
data:
  ca.crt: <DATA>
  user.crt: <DATA>
  user.key: <DATA>
  user.password: <DATA>
kind: Secret
metadata:
  labels:
    app.kubernetes.io/instance: external-connect
    app.kubernetes.io/managed-by: strimzi-user-operator
    app.kubernetes.io/name: strimzi-user-operator
    app.kubernetes.io/part-of: strimzi-external-connect
    strimzi.io/cluster: nghis-cluster
    strimzi.io/kind: KafkaUser
  name: external-connect
  namespace: kafka
  ownerReferences:
  - apiVersion: kafka.strimzi.io/v1beta2
    blockOwnerDeletion: false
    controller: false
    kind: KafkaUser
    name: external-connect
type: Opaque

Nginx controller config :

spec:
  containers:
  - args:
    - /nginx-ingress-controller
    - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
    - --election-id=ingress-nginx-leader
    - --controller-class=k8s.io/ingress-nginx
    - --ingress-class=nginx
    - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
    - --tcp-services-configmap=$(POD_NAMESPACE)/ingress-nginx-tcp
    - --validating-webhook=:8443
    - --validating-webhook-certificate=/usr/local/certificates/cert
    - --validating-webhook-key=/usr/local/certificates/key
    - --enable-ssl-passthrough
    ```

have enabled ssl-passtrough on nginx controller, and i also have(hopefully) correct annotations on my ingress resource :

 ingress.kubernetes.io/ssl-passthrough: "true"
 nginx.ingress.kubernetes.io/backend-protocol: HTTPS
 nginx.ingress.kubernetes.io/ssl-passthrough: "true

I found this issue : https://github.com/orgs/strimzi/discussions/8121 , it seems to be related, so I think there is issue with ingress in some way, unfortunately nginx for azure does not have same annotations as mentioned in issue 8121, here is list of annotations for azure :
https://cloud-provider-azure.sigs.k8s.io/topics/loadbalancer/#loadbalancer-annotations

Any help is much appreciated.

Thank you.

EDIT:

openssl s_client -connect bootstrap.kafka.xxx.local:443

this is giving me result of :

CONNECTED(00000003)
depth=0 CN = external-connect
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = external-connect
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = external-connect
verify return:1

SSL handshake has read 1711 bytes and written 441 bytes
Verification error: unable to verify the first certificate

[scholzj]

I think openssl s_client -connect bootstrap.kafka.xxx.local:443 is wrong -> you have to do something like this:

openssl s_client -connect bootstrap.kafka.xxx.local:443 -servername bootstrap.kafka.xxx.local

To trigger the TLS-SNI mechanism used.

There is one other thing that is wrong. You have this in the listener configuration:

        brokerCertChainAndKey:
          certificate: user.crt
          key: user.key
          secretName: external-connect

That tells the operator that this listener should use a custom server certificate that you provide in the secret. Not sure where you got this certificate, but you should use what ever signed this or the user.crt in your truststore and not the Strimzi CA.

[roman5595]

When i deleted :

  brokerCertChainAndKey:
          certificate: user.crt
          key: user.key
          secretName: external-connect 

from kafka resource , and i used ca.crt for truststore, im still getting SSL handshake error, when i tried to use this brokercertchain and instead of ca.crt i used user.crt, i still received SSL handshake error

However what i noticed is , that when i removed this brokerCertChainAndKey: and used ca.crt, Offset Explorer DEBUG logs are :

20:56:56.115 [kafka-admin-client-thread | adminclient-1] ERROR org.apache.kafka.clients.NetworkClient - [AdminClient clientId=adminclient-1] Connection to node -1 (bootstrap.kafka.prosoft.local/20.229.254.148:443) failed authentication due to: SSL handshake failed
20:56:56.115 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.admin.internals.AdminMetadataManager - [AdminClient clientId=adminclient-1] Requesting metadata update.
20:56:56.115 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.admin.internals.AdminMetadataManager - [AdminClient clientId=adminclient-1] Metadata is not usable: failed to get metadata.
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165) ~[?:1.8.0_232]
	at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) ~[?:1.8.0_232]
	at org.apache.kafka.common.network.SslTransportLayer.handshakeWrap(SslTransportLayer.java:448) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:313) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265) ~[kafka-clients.jar:?]

there is not :

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

anymore

[scholzj]

I think start is to use the OpenSSL client and see what certificates are you getting. If you removed the custom listener certificate, then the truststore should be in general good. You of course also have to configure it correctly in the client.

[scholzj]

You could also use in the Java client the systme propert javax.net.debug=ssl and it should give you some more detail abotu the TLS handshake directly in your client.

[roman5595]

I can see this in my kafka server logs every time when i try to authenticate with my client this log : (172.26.3.94 is address of my nginx controller)

2023-11-26 08:12:36,262 INFO [SocketServer listenerType=ZK_BROKER, nodeId=0] Failed authentication with /172.26.3.94 (SSL handshake failed) 
(org.apache.kafka.common.network.Selector) [data-plane-kafka-network-thread-0-ListenerName(EXTERNAL-9095)-SS ││ L-12]

When I tried to open https://bootstrap.kafka.xxx.local from my browser I can see 2 certs in this chain:

NET::ERR_CERT_AUTHORITY_INVALID
Subject: xxx-cluster-kafka

Issuer: cluster-ca v0

Expires on: Jun 26, 2024

Current date: Nov 26, 2023

PEM encoded chain:
-----BEGIN CERTIFICATE-----
<CONTENT_OF_CERT1>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<CONTENT_OF_CERT2>
-----END CERTIFICATE-----

openssl s_client -connect bootstrap.kafka.xxx.local:443 -servername bootstrap.kafka.xxx.local
CONNECTED(00000003)
depth=1 O = io.strimzi, CN = cluster-ca v0
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 O = io.strimzi, CN = cluster-ca v0
verify return:1
depth=0 O = io.strimzi, CN = xxx-cluster-kafka
verify return:1
---
Certificate chain
 0 s:O = io.strimzi, CN = xxx-cluster-kafka
   i:O = io.strimzi, CN = cluster-ca v0
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA512
   v:NotBefore: Jun 27 12:00:56 2023 GMT; NotAfter: Jun 26 12:00:56 2024 GMT
 1 s:O = io.strimzi, CN = cluster-ca v0
   i:O = io.strimzi, CN = cluster-ca v0
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA512
   v:NotBefore: Jun 27 08:21:53 2023 GMT; NotAfter: Jun 26 08:21:53 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
<CONTENT_OF_CERT1>
-----END CERTIFICATE-----
subject=O = io.strimzi, CN = xxx-cluster-kafka
issuer=O = io.strimzi, CN = cluster-ca v0
---
Acceptable client certificate CA names
O = io.strimzi, CN = clients-ca v0
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3540 bytes and written 441 bytes
Verification error: self-signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self-signed certificate in certificate chain)
---
40F718A9CA7F0000:error:0A000119:SSL routines:ssl3_get_record:decryption failed or bad record mac:../ssl/record/ssl3_record.c:613:

Content of cert1 :

openssl x509 -in cert1.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: O = io.strimzi, CN = cluster-ca v0
        Validity
            Not Before: Jun 27 12:00:56 2023 GMT
            Not After : Jun 26 12:00:56 2024 GMT
        Subject: O = io.strimzi, CN = xxx-cluster-kafka
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:xxx-cluster-kafka-bootstrap.kafka.svc, DNS:xxx-cluster-kafka-1.xxx-cluster-kafka-brokers.kafka.svc, DNS:xxx-cluster-kafka-brokers.kafka, 
                DNS:xxx-cluster-kafka-bootstrap.kafka.svc.cluster.local, DNS:xxx-cluster-kafka-1.xxx-cluster-kafka-brokers.kafka.svc.cluster.local, DNS:xxx-cluster-kafka-bootstrap, 
                DNS:xxx-cluster-kafka-bootstrap.kafka, DNS:xxx-cluster-kafka-brokers.kafka.svc.cluster.local, DNS:b1.kafka.prosoft.local, DNS:bootstrap.kafka.prosoft.local, DNS:xxx-cluster-kafka-brokers, DNS:xxx-cluster-kafka-brokers.kafka.svc

Content of cert2:

openssl x509 -in cert2.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: O = io.strimzi, CN = cluster-ca v0
        Validity
            Not Before: Jun 27 08:21:53 2023 GMT
            Not After : Jun 26 08:21:53 2024 GMT
        Subject: O = io.strimzi, CN = cluster-ca v0
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign

[scholzj]

So, what OpenSSL gives you looks good to me. It suggests the broker uses the right certificate and the TLS passthrough works fine. So the next part is to look into the Kafka client. The command you used to create the truststore on the beginning looked fine. But you should be able to doublecheck that it has the right CA. And you should check the Java client really uses it.

[roman5595]

Here is full log from kafka client with enabled -Djavax.net.debug=ssl :

13:01:53.642 [Thread-4] INFO  org.apache.kafka.clients.admin.AdminClientConfig - AdminClientConfig values: 
	bootstrap.servers = [bootstrap.kafka.xxx.local:443]
	client.dns.lookup = default
	client.id = 
	connections.max.idle.ms = 300000
	metadata.max.age.ms = 300000
	metric.reporters = []
	metrics.num.samples = 2
	metrics.recording.level = INFO
	metrics.sample.window.ms = 30000
	receive.buffer.bytes = 65536
	reconnect.backoff.max.ms = 1000
	reconnect.backoff.ms = 50
	request.timeout.ms = 120000
	retries = 5
	retry.backoff.ms = 100
	sasl.client.callback.handler.class = null
	sasl.jaas.config = [hidden]
	sasl.kerberos.kinit.cmd = /usr/bin/kinit
	sasl.kerberos.min.time.before.relogin = 60000
	sasl.kerberos.service.name = null
	sasl.kerberos.ticket.renew.jitter = 0.05
	sasl.kerberos.ticket.renew.window.factor = 0.8
	sasl.login.callback.handler.class = null
	sasl.login.class = null
	sasl.login.refresh.buffer.seconds = 300
	sasl.login.refresh.min.period.seconds = 60
	sasl.login.refresh.window.factor = 0.8
	sasl.login.refresh.window.jitter = 0.05
	sasl.mechanism = GSSAPI
	security.protocol = SSL
	security.providers = null
	send.buffer.bytes = 131072
	ssl.cipher.suites = null
	ssl.enabled.protocols = [TLSv1.2, TLSv1.1, TLSv1]
	ssl.endpoint.identification.algorithm = 
	ssl.key.password = null
	ssl.keymanager.algorithm = SunX509
	ssl.keystore.location = null
	ssl.keystore.password = null
	ssl.keystore.type = JKS
	ssl.protocol = TLS
	ssl.provider = null
	ssl.secure.random.implementation = null
	ssl.trustmanager.algorithm = PKIX
	ssl.truststore.location = C:\kafka\truststore.jks
	ssl.truststore.password = [hidden]
	ssl.truststore.type = JKS

13:01:53.654 [Thread-4] DEBUG org.apache.kafka.clients.admin.internals.AdminMetadataManager - [AdminClient clientId=adminclient-1] Setting bootstrap cluster metadata Cluster(id = null, nodes = [bootstrap.kafka.xxx.local:443 (id: -1 rack: null)], partitions = [], controller = null).
13:01:53.738 [Thread-4] DEBUG org.apache.kafka.common.security.ssl.SslEngineBuilder - Created SSL context with keystore null, truststore SecurityStore(path=C:\kafka\truststore.jks, modificationTime=Sun Nov 26 12:44:54 CET 2023), provider SunJSSE.
13:01:53.744 [Thread-4] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name connections-closed:
13:01:53.745 [Thread-4] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name connections-created:
13:01:53.745 [Thread-4] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name successful-authentication:
13:01:53.745 [Thread-4] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name successful-reauthentication:
13:01:53.745 [Thread-4] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name successful-authentication-no-reauth:
13:01:53.746 [Thread-4] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name failed-authentication:
13:01:53.746 [Thread-4] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name failed-reauthentication:
13:01:53.746 [Thread-4] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name reauthentication-latency:
13:01:53.746 [Thread-4] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name bytes-sent-received:
13:01:53.746 [Thread-4] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name bytes-sent:
13:01:53.747 [Thread-4] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name bytes-received:
13:01:53.747 [Thread-4] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name select-time:
13:01:53.747 [Thread-4] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name io-time:
13:01:53.750 [Thread-4] WARN  org.apache.kafka.clients.admin.AdminClientConfig - The configuration 'group.id' was supplied but isn't a known config.
13:01:53.750 [Thread-4] WARN  org.apache.kafka.clients.admin.AdminClientConfig - The configuration 'sasl.jaas.config' was supplied but isn't a known config.
13:01:53.751 [Thread-4] INFO  org.apache.kafka.common.utils.AppInfoParser - Kafka version: 2.4.0
13:01:53.751 [Thread-4] INFO  org.apache.kafka.common.utils.AppInfoParser - Kafka commitId: 77a89fcf8d7fa018
13:01:53.751 [Thread-4] INFO  org.apache.kafka.common.utils.AppInfoParser - Kafka startTimeMs: 1701000113750
13:01:53.752 [Thread-4] DEBUG org.apache.kafka.clients.admin.KafkaAdminClient - [AdminClient clientId=adminclient-1] Kafka admin client initialized
13:01:53.753 [Thread-4] DEBUG org.apache.kafka.clients.admin.KafkaAdminClient - [AdminClient clientId=adminclient-1] Queueing Call(callName=listNodes, deadlineMs=1701000233752) with a timeout 120000 ms from now.
13:01:53.753 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.NetworkClient - [AdminClient clientId=adminclient-1] Initiating connection to node bootstrap.kafka.xxx.local:443 (id: -1 rack: null) using address bootstrap.kafka.xxx.local/<IP_ADDRESS_OF_LB>
13:01:53.787 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name node--1.bytes-sent
13:01:53.788 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name node--1.bytes-received
13:01:53.788 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Added sensor with name node--1.latency
13:01:53.789 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.network.Selector - [AdminClient clientId=adminclient-1] Created socket with SO_RCVBUF = 65536, SO_SNDBUF = 131072, SO_TIMEOUT = 0 to node -1
13:01:53.845 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.NetworkClient - [AdminClient clientId=adminclient-1] Completed connection to node -1. Fetching API versions.
13:01:53.949 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.network.SslTransportLayer - [SslTransportLayer channelId=-1 key=sun.nio.ch.SelectionKeyImpl@31f4ac0a] SSLEngine.closeInBound() raised an exception.
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1615) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1542) ~[?:1.8.0_232]
	at org.apache.kafka.common.network.SslTransportLayer.handshakeFailure(SslTransportLayer.java:830) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.maybeProcessHandshakeFailure(SslTransportLayer.java:868) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:267) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:170) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.poll(Selector.java:483) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:540) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1196) ~[kafka-clients.jar:?]
	at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_232]
13:01:53.952 [kafka-admin-client-thread | adminclient-1] INFO  org.apache.kafka.common.network.Selector - [AdminClient clientId=adminclient-1] Failed authentication with bootstrap.kafka.xxx.local/<IP_ADDRESS_OF_LB> (SSL handshake failed)
13:01:53.952 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.NetworkClient - [AdminClient clientId=adminclient-1] Node -1 disconnected.
13:01:53.953 [kafka-admin-client-thread | adminclient-1] WARN  org.apache.kafka.clients.admin.internals.AdminMetadataManager - [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1530) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766) ~[?:1.8.0_232]
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_232]
	at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:479) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:340) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:170) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.poll(Selector.java:483) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:540) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1196) ~[kafka-clients.jar:?]
	at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_232]
Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2
	at sun.security.ssl.HandshakeStateManager.check(HandshakeStateManager.java:362) ~[?:1.8.0_232]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:196) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:1.8.0_232]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:1.8.0_232]
	at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:402) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:484) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:340) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:170) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.poll(Selector.java:483) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:540) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1196) ~[kafka-clients.jar:?]
	at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_232]
13:01:53.953 [kafka-admin-client-thread | adminclient-1] ERROR org.apache.kafka.clients.NetworkClient - [AdminClient clientId=adminclient-1] Connection to node -1 (bootstrap.kafka.xxx.local/<IP_ADDRESS_OF_LB>:443) failed authentication due to: SSL handshake failed
13:01:53.953 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.admin.internals.AdminMetadataManager - [AdminClient clientId=adminclient-1] Requesting metadata update.
13:01:53.953 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.admin.internals.AdminMetadataManager - [AdminClient clientId=adminclient-1] Metadata is not usable: failed to get metadata.
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1530) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766) ~[?:1.8.0_232]
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_232]
	at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:479) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:340) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:170) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.poll(Selector.java:483) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:540) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1196) ~[kafka-clients.jar:?]
	at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_232]
Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2
	at sun.security.ssl.HandshakeStateManager.check(HandshakeStateManager.java:362) ~[?:1.8.0_232]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:196) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:1.8.0_232]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:1.8.0_232]
	at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:402) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:484) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:340) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:170) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.poll(Selector.java:483) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:540) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1196) ~[kafka-clients.jar:?]
	at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_232]
13:01:53.953 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.admin.KafkaAdminClient - [AdminClient clientId=adminclient-1] Unable to choose node for Call(callName=listNodes, deadlineMs=1701000233752)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1530) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766) ~[?:1.8.0_232]
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_232]
	at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:479) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:340) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:170) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.poll(Selector.java:483) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:540) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1196) ~[kafka-clients.jar:?]
	at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_232]
Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2
	at sun.security.ssl.HandshakeStateManager.check(HandshakeStateManager.java:362) ~[?:1.8.0_232]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:196) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:1.8.0_232]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:1.8.0_232]
	at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:402) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:484) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:340) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:170) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.poll(Selector.java:483) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:540) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1196) ~[kafka-clients.jar:?]
	at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_232]
13:01:53.953 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.admin.KafkaAdminClient - [AdminClient clientId=adminclient-1] Call(callName=listNodes, deadlineMs=1701000233752) failed with non-retriable exception after 1 attempt(s)
java.lang.Exception: SslAuthenticationException: SSL handshake failed
	at org.apache.kafka.clients.admin.KafkaAdminClient$Call.fail(KafkaAdminClient.java:692) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.maybeDrainPendingCall(KafkaAdminClient.java:948) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.maybeDrainPendingCalls(KafkaAdminClient.java:921) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1173) ~[kafka-clients.jar:?]
	at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_232]
13:01:53.954 [Thread-4] ERROR com.kafkatool.model.KafkaMapper - Error getting brokers using admin client
java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
	at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:104) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:272) ~[kafka-clients.jar:?]
	at com.kafkatool.model.KafkaMapper.getBrokersKafka(KafkaMapper.java:366) ~[ofjar.jar:?]
	at com.kafkatool.model.KafkaMapper.getBrokers(KafkaMapper.java:350) ~[ofjar.jar:?]
	at com.kafkatool.model.ServerConnection.getBrokers(ServerConnection.java:292) ~[ofjar.jar:?]
	at com.kafkatool.model.ServerConnection.connectInt(ServerConnection.java:462) ~[ofjar.jar:?]
	at com.kafkatool.model.ServerConnection.connect(ServerConnection.java:443) ~[ofjar.jar:?]
	at com.kafkatool.common.AsyncServerConnector.run(AsyncServerConnector.java:43) ~[ofjar.jar:?]
	at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_232]
Caused by: org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1530) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802) ~[?:1.8.0_232]
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766) ~[?:1.8.0_232]
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_232]
	at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:479) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:340) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:170) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.poll(Selector.java:483) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:540) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1196) ~[kafka-clients.jar:?]
	... 1 more
Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2
	at sun.security.ssl.HandshakeStateManager.check(HandshakeStateManager.java:362) ~[?:1.8.0_232]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:196) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:1.8.0_232]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_232]
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:1.8.0_232]
	at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:402) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:484) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:340) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:170) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547) ~[kafka-clients.jar:?]
	at org.apache.kafka.common.network.Selector.poll(Selector.java:483) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:540) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1196) ~[kafka-clients.jar:?]
	... 1 more
13:01:53.955 [Thread-4] DEBUG org.apache.kafka.clients.admin.KafkaAdminClient - [AdminClient clientId=adminclient-1] Initiating close operation.
13:01:53.955 [Thread-4] DEBUG org.apache.kafka.clients.admin.KafkaAdminClient - [AdminClient clientId=adminclient-1] Waiting for the I/O thread to exit. Hard shutdown in 31536000000 ms.
13:01:53.955 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.admin.KafkaAdminClient - [AdminClient clientId=adminclient-1] Call(callName=fetchMetadata, deadlineMs=1701000233752) timed out at 9223372036854775807 after 1 attempt(s)
java.lang.Exception: TimeoutException: The AdminClient thread has exited.
	at org.apache.kafka.clients.admin.KafkaAdminClient$Call.fail(KafkaAdminClient.java:683) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$TimeoutProcessor.handleTimeouts(KafkaAdminClient.java:801) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1212) ~[kafka-clients.jar:?]
	at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_232]
13:01:53.955 [kafka-admin-client-thread | adminclient-1] INFO  org.apache.kafka.clients.admin.internals.AdminMetadataManager - [AdminClient clientId=adminclient-1] Metadata update failed
org.apache.kafka.common.errors.TimeoutException: The AdminClient thread has exited.
13:01:53.956 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.admin.KafkaAdminClient - [AdminClient clientId=adminclient-1] Call(callName=fetchMetadata, deadlineMs=1701000233953) timed out at 9223372036854775807 after 1 attempt(s)
java.lang.Exception: TimeoutException: The AdminClient thread has exited.
	at org.apache.kafka.clients.admin.KafkaAdminClient$Call.fail(KafkaAdminClient.java:683) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$TimeoutProcessor.handleTimeouts(KafkaAdminClient.java:801) ~[kafka-clients.jar:?]
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1212) ~[kafka-clients.jar:?]
	at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_232]
13:01:53.956 [kafka-admin-client-thread | adminclient-1] INFO  org.apache.kafka.clients.admin.internals.AdminMetadataManager - [AdminClient clientId=adminclient-1] Metadata update failed
org.apache.kafka.common.errors.TimeoutException: The AdminClient thread has exited.
13:01:53.956 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.admin.KafkaAdminClient - [AdminClient clientId=adminclient-1] Timed out 2 remaining operation(s).
13:01:53.956 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name connections-closed:
13:01:53.956 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name connections-created:
13:01:53.956 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name successful-authentication:
13:01:53.956 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name successful-reauthentication:
13:01:53.956 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name successful-authentication-no-reauth:
13:01:53.956 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name failed-authentication:
13:01:53.956 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name failed-reauthentication:
13:01:53.956 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name reauthentication-latency:
13:01:53.957 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name bytes-sent-received:
13:01:53.957 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name bytes-sent:
13:01:53.957 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name bytes-received:
13:01:53.957 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name select-time:
13:01:53.957 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name io-time:
13:01:53.957 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name node--1.bytes-sent
13:01:53.957 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name node--1.bytes-received
13:01:53.957 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.common.metrics.Metrics - Removed sensor with name node--1.latency
13:01:53.957 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.admin.KafkaAdminClient - [AdminClient clientId=adminclient-1] Exiting AdminClientRunnable thread.
13:01:53.958 [Thread-4] DEBUG org.apache.kafka.clients.admin.KafkaAdminClient - [AdminClient clientId=adminclient-1] Kafka admin client closed.
java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
	at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
	at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
	at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:104)
	at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:272)
	at com.kafkatool.model.KafkaMapper.getBrokersKafka(KafkaMapper.java:366)
	at com.kafkatool.model.KafkaMapper.getBrokers(KafkaMapper.java:350)
	at com.kafkatool.model.ServerConnection.getBrokers(ServerConnection.java:292)
	at com.kafkatool.model.ServerConnection.connectInt(ServerConnection.java:462)
	at com.kafkatool.model.ServerConnection.connect(ServerConnection.java:443)
	at com.kafkatool.common.AsyncServerConnector.run(AsyncServerConnector.java:43)
	at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1530)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:479)
	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:340)
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:265)
	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:170)
	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547)
	at org.apache.kafka.common.network.Selector.poll(Selector.java:483)
	at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:540)
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1196)
	at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2
	at sun.security.ssl.HandshakeStateManager.check(HandshakeStateManager.java:362)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:196)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
	at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:402)
	at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:484)
	... 8 more
java.lang.Exception: Error connecting to the cluster.org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
	at com.kafkatool.model.ServerConnection.connect(ServerConnection.java:455)
	at com.kafkatool.common.AsyncServerConnector.run(AsyncServerConnector.java:43)
	at java.lang.Thread.run(Thread.java:748)

When Im creating truststore, im using content of this ca.crt from Kafka Resource :

listeners:
  - addresses:
    - host: xxx-cluster-kafka-bootstrap.kafka.svc
      port: 9092
    bootstrapServers: xxx-cluster-kafka-bootstrap.kafka.svc:9092
    name: plain
    type: plain
  - addresses:
    - host: xxx-cluster-kafka-bootstrap.kafka.svc
      port: 9093
    bootstrapServers: xxx-cluster-kafka-bootstrap.kafka.svc:9093
    certificates:
    - |
      -----BEGIN CERTIFICATE-----
     <CONTENT_OF_ca.crt>
      -----END CERTIFICATE-----
    name: tls
    type: tls
  - addresses:
    - host: bootstrap.kafka.xxx.local
      port: 443
    bootstrapServers: bootstrap.kafka.xxx.local:443
    certificates:
    - |
      -----BEGIN CERTIFICATE-----
     <CONTENT_OF_ca.crt>
      -----END CERTIFICATE-----
    name: external
    type: external
  observedGeneration: 10

Content of ca.crt is matching with ca.crt from xxx-cluster-cluster-ca-crt :

Name:         xxx-cluster-cluster-ca-cert
Namespace:    kafka
Labels:       app.kubernetes.io/instance=xxx-cluster
              app.kubernetes.io/managed-by=strimzi-cluster-operator
              app.kubernetes.io/name=strimzi
              app.kubernetes.io/part-of=strimzi-xxx-cluster
              strimzi.io/cluster=xxx-cluster
              strimzi.io/kind=Kafka
              strimzi.io/name=strimzi
Annotations:  strimzi.io/ca-cert-generation: 0

Type:  Opaque

Data
====
ca.crt:       1854 bytes
ca.p12:       1687 bytes
ca.password:  12 bytes

I think that client is using correct data :

ssl.truststore.location = C:\kafka\truststore.jks
ssl.truststore.password = [hidden]
ssl.truststore.type = JKS
security.protocol = SSL

EDIT:
I think this is interesting, firstly it looks like client connected to correct node :

13:01:53.953 [kafka-admin-client-thread | adminclient-1] ERROR org.apache.kafka.clients.NetworkClient - [AdminClient clientId=adminclient-1] Connection to node -1 (bootstrap.kafka.xxx.local/<IP_ADDRESS_OF_LB>:443) failed authentication due to: SSL handshake failed
13:01:53.953 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.admin.internals.AdminMetadataManager - [AdminClient clientId=adminclient-1] Requesting metadata update.
13:01:53.953 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.admin.internals.AdminMetadataManager - [AdminClient clientId=adminclient-1] Metadata is not usable: failed to get metadata.
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed

But later it says :

13:01:53.953 [kafka-admin-client-thread | adminclient-1] DEBUG org.apache.kafka.clients.admin.KafkaAdminClient - [AdminClient clientId=adminclient-1] Unable to choose node for Call(callName=listNodes, deadlineMs=1701000233752)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed

[scholzj]

Well, this looks like a different error now. It is not PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target anymore. It is now Handshake message sequence violation, 2. That is because you configured TLS client authentication on your listener, but do not have the keystore with the user certificate defined in the client configuration. You have to create the KafkaUSer resource, take its certificates and use them as a keystore for the authentication in your Kafka client. (or disable the authentication in the listener of course, which is less secure, but an option as well)

[roman5595]

You are correct, that was issue, I tried this in the beginning, but it didnt work because of this :

brokerCertChainAndKey:
          certificate: user.crt
          key: user.key
          secretName: external-connect

With these commands I was able to successfully connect :

kubectl get secret <CLUSTER>-cluster-ca-cert -n kafka -o jsonpath='{.data.ca\.crt}' | base64 --decode > ca.crt
kubectl get secret <KAFKA_USER_SECRET> -n kafka -o jsonpath='{.data.user\.p12}' | base64 --decode > user.p12
kubectl get secret <KAFKA_USER_SECRET> -n kafka -o jsonpath='{.data.user\.password}' | base64 --decode > user.password


"C:\Program Files\Java\jdk-14.0.2\bin\keytool" -import -trustcacerts -file ca.crt -keystore user-truststore.jks -storepass <PASSWORD>
"C:\Program Files\Java\jdk-14.0.2\bin\keytool" -importkeystore -srckeystore user.p12 -srcstoretype pkcs12 -destkeystore user-keystore.jks -deststoretype jks

One note, I had to use keytool full path from windows, for some reason when i tried to use keytool on linux it always said that password is incorrect.

Thank you very much!