PEM SSL
coredump17 opened this issue · 2 comments
Below logic does not allow for PEM SSL ADVERTISED_LISTENERS include/etc/confluent/docker/configure
Quick workaround is to not allow advertised listeners match SSL ;)
Set if ADVERTISED_LISTENERS has SSL:// or SASL_SSL:// endpoints.
if [[ -n "${KAFKA_ADVERTISED_LISTENERS-}" ]] && [[ $KAFKA_ADVERTISED_LISTENERS == "SSL://" ]]
then
echo "SSL is enabled."
dub ensure KAFKA_SSL_KEYSTORE_FILENAME
KAFKA_SSL_KEYSTORE_LOCATION is used for PEM files instead of KAFKA_SSL_KEYSTORE_FILENAME when KAFKA_SSL_TRUSTSTORE_TYPE = PEM.
Came here to report the same problem. Just to explain the issue more clearly:
You can configure SSL either in the classical way using KAFKA_SSL_KEYSTORE_FILENAME etc. or you can specify PEM certificates and keys directly using KAFKA_SSL_KEYSTORE_CERTIFICATE_CHAIN etc. In that case, you don't pass file names and locations, but the actual content of the PEM files - see here.
However, the "configure" script has these lines that allow only the former method of configuring SSL, and therefore prohibit using PEM certificates. This part of the script should be adapted.
As @mooneym17 mentioned, a workaround is to use protocl name in ADVERTISED_LISTENERS that does not rhyme with SSL and map it to SSL. This fools the configure script into believing you're not using SSL and not to interfere with the SSL settings.