Intermediate CA communiation is not working between kafka and kafka-topic-manager/applications

[saiprathapreddy]

Name and Version

ubi/kafka:3.8.0-r1

What architecture are you using?

amd64

What steps will reproduce the bug?

• Environment: Linux HOSTNAME 4.18.0-553.27.1.el8_10.x86_64 #1 SMP Fri Oct 18 06:18:15 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux
• Configuration: kafka - kafka-topic-manager (MTLS enabled)
• Run: When we are trying to communicate between kafka and kafka-topic-mager we are using internal and third party CA certificates. when we are trying to connect using a certificate path with multiple CA's communication is breaking between kafka and applications.

Error:

Example1: certificate is signed with CA - we didn't find any issue (No intermediate CA)
certificate chain : certificate -> internal CA
------------------------------------------------------SSL handshake completed successfully with peerHost---------------------------------
Nov  5 15:59:49 localhost kafka[128794]: [2024-11-05 13:59:49,380] DEBUG Accepted connection from /172.17.0.1:37520 on /172.17.0.18:9092 and assigned it to processor 1, sendBufferSize [actual|requested]: [102400|102400] recvBufferSize [actual|requested]: [102400|102400] (kafka.network.DataPlaneAcceptor)

Nov  5 15:59:49 localhost kafka[128794]: [2024-11-05 13:59:49,380] DEBUG Processor 1 listening to new connection from /172.17.0.1:37520 (kafka.network.Processor)

Nov  5 15:59:49 localhost kafka[128794]: [2024-11-05 13:59:49,401] DEBUG [SslTransportLayer channelId=172.17.0.18:9092-172.17.0.1:37520-15 key=channel=java.nio.channels.SocketChannel[connected local=/172.17.0.18:9092 remote=/172.17.0.1:37520], selector=sun.nio.ch.EPollSelectorImpl@12a58e5e, interestOps=1, readyOps=0] _SSL handshake completed successfully with peerHost_ '172.17.0.1' peerPort 37520 peerPrincipal 'CN=kafka-topic-manager-localhost' protocol 'TLSv1.3' cipherSuite 'TLS_AES_128_GCM_SHA256' (org.apache.kafka.common.network.SslTransportLayer)
Example2: certificate is signed with internal CA signed by thirdparty CA - hadshek is failing (With intermediate CA)
certificate chain : certificate -> internal CA -> thirdparty CA

---------------------------------------------------------SSLHandshake NEED_UNWRAP channelId-----------------------------------------
Nov  5 16:38:21 localhost kafka[1332937]: [2024-11-05 14:38:21,370] DEBUG Processor 1 listening to new connection from /172.17.0.1:45242 (kafka.network.Processor)
Nov  5 16:38:21 localhost kafka[1332937]: [2024-11-05 14:38:21,370] DEBUG Accepted connection from /172.17.0.1:45242 on /172.17.0.141:9092 and assigned it to processor 1, sendBufferSize [actual|requested]: [102400|102400] recvBufferSize [actual|requested]: [102400|102400] (kafka.network.DataPlaneAcceptor)
Nov  5 16:38:21 localhost kafka[1332937]: [2024-11-05 14:38:21,370] TRACE [SslTransportLayer channelId=172.17.0.141:9092-172.17.0.1:45242-825 key=channel=java.nio.channels.SocketChannel[connected local=/172.17.0.141:9092 remote=/172.17.0.1:45242], selector=sun.nio.ch.EPollSelectorImpl@39027b65, interestOps=1, readyOps=0] SSLHandshake NEED_UNWRAP channelId 172.17.0.141:9092-172.17.0.1:45242-825, appReadBuffer pos 0, netReadBuffer pos 0, netWriteBuffer pos 0 (org.apache.kafka.common.network.SslTransportLayer)

What is the expected behavior?

kafka and kafka clients should be able to connect with intermediate CA(certificate chain with multiple CA's) or CA's.

What do you see instead?

unable to comminicate to kafka due to intermediate CA **"SSLHandshake NEED_UNWRAP"**

[carrodher]

Hi, the issue may not be directly related to the Bitnami container image/Helm chart, but rather to how the application is being utilized, configured in your specific environment, or tied to a particular scenario that is not easy to reproduce on our side.

If you think that's not the case and want to contribute a solution, we welcome you to create a pull request. The Bitnami team is excited to review your submission and offer feedback. You can find the contributing guidelines here.

Your contribution will greatly benefit the community. Feel free to reach out if you have any questions or need assistance.

Suppose you have any questions about the application, customizing its content, or technology and infrastructure usage. In that case, we highly recommend that you refer to the forums and user guides provided by the project responsible for the application or technology.

With that said, we'll keep this ticket open until the stale bot automatically closes it, in case someone from the community contributes valuable insights.

[saiprathapreddy]

Thank you so much for response. I can try sharing commands to simulate the senario.