search

confluentinc / confluent-kafka-dotnet

Confluent's Apache Kafka .NET client
https://github.com/confluentinc/confluent-kafka-dotnet/wiki
Apache License 2.0
80 stars 866 forks source link

Fails to obtain OAuth2 token using CA certificate on Ubuntu while it works on MacOS and Windows #2106

Open thomasnal opened 1 year ago

thomasnal commented 1 year ago

Description

The same SSL certificate provided to 'ssl.ca.pem' property as a verbatim string succeeds on MacOS and Windows but fails on Linux/Ubuntu to verify the Confluent Cloud kafka broker. Why?

The CA certificate is the Let's Encrypt ISRG Root X1.

How to reproduce

var string cacert = @"-----BEGIN CERTIFICATE-----
...base64content-pem-downloaded-from-lets-encrypt...
-----END CERTIFICATE-----
";

AdminClientConfig adminClientConfig = new AdminClientConfig
{
    BootstrapServers = _kafkaClusterOptions.BootstrapServers,
    SaslMechanism = SaslMechanism.OAuthBearer,
    SecurityProtocol = SecurityProtocol.SaslSsl,
    SslCaPem = cacert,
    SaslOauthbearerMethod = SaslOauthbearerMethod.Oidc,
    SaslOauthbearerTokenEndpointUrl = _kafkaClusterOptions.OAuthTokenEnpointUrl,
    SaslOauthbearerClientId = _kafkaOAuthAppOptions.ClientId,
    SaslOauthbearerClientSecret = _kafkaOAuthAppOptions.ClientSecret,
    SaslOauthbearerExtensions = $"logicalCluster={_kafkaClusterOptions.ClusterId},identityPoolId={_kafkaClusterOptions.IdentityPoolId}"
using var adminClient = new AdminClientBuilder(adminClientConfig).Build();

await adminClient.CreateTopicsAsync(new TopicSpecification[] {
    new TopicSpecification { Name = "mytopic", ReplicationFactor = 1, NumPartitions = 1 }
});
 dbug: Data.Api.Tests.EndToEnd.Drivers.KafkaDriver[0]
       ConfluentKafka : [rdkafka#producer-1] [BRKMAIN] [Debug] [[thrd::0/internal]: :0/internal: Enter main broker thread]
 dbug: Data.Api.Tests.EndToEnd.Drivers.KafkaDriver[0]
       ConfluentKafka : [rdkafka#producer-1] [BROKER] [Debug] [[thrd:app]: sasl_ssl://my.westeurope.azure.confluent.cloud:9092/bootstrap: Added new broker with NodeId -1]
 dbug: Data.Api.Tests.EndToEnd.Drivers.KafkaDriver[0]
       ConfluentKafka : [rdkafka#producer-1] [CONNECT] [Debug] [[thrd:app]: sasl_ssl://my.westeurope.azure.confluent.cloud:9092/bootstrap: Selected for cluster connection: bootstrap servers added (broker has 0 connection attempt(s))]
 dbug: Data.Api.Tests.EndToEnd.Drivers.KafkaDriver[0]
       ConfluentKafka : [rdkafka#producer-1] [BRKMAIN] [Debug] [[thrd:sasl_ssl://my.westeurope.azure.confluent.cloud:9092/boot]: sasl_ssl://my.westeurope.azure.confluent.cloud:9092/bootstrap: Enter main broker thread]
 dbug: Data.Api.Tests.EndToEnd.Drivers.KafkaDriver[0]
       ConfluentKafka : [rdkafka#producer-1] [CONNECT] [Debug] [[thrd:sasl_ssl://my.westeurope.azure.confluent.cloud:9092/boot]: sasl_ssl://my.westeurope.azure.confluent.cloud:9092/bootstrap: Received CONNECT op]
 dbug: Data.Api.Tests.EndToEnd.Drivers.KafkaDriver[0]
       ConfluentKafka : [rdkafka#producer-1] [STATE] [Debug] [[thrd:sasl_ssl://my.westeurope.azure.confluent.cloud:9092/boot]: sasl_ssl://my.westeurope.azure.confluent.cloud:9092/bootstrap: Broker changed state INIT -> TRY_CONNECT]
 dbug: Data.Api.Tests.EndToEnd.Drivers.KafkaDriver[0]
       ConfluentKafka : [rdkafka#producer-1] [INIT] [Debug] [[thrd:app]: librdkafka v2.2.0 (0x20200ff) rdkafka#producer-1 initialized (builtin.features gzip,snappy,ssl,sasl,regex,lz4,sasl_gssapi,sasl_plain,sasl_scram,plugins,zstd,sasl_oauthbearer,http,oidc, STRIP STATIC_LINKING GCC GXX PKGCONFIG INSTALL GNULD LIBDL PLUGINS ZLIB SSL SASL_CYRUS ZSTD CURL HDRHISTOGRAM SYSLOG SNAPPY SOCKEM SASL_SCRAM SASL_OAUTHBEARER OAUTHBEARER_OIDC CRC32C_HW, debug 0x46)]
 dbug: Data.Api.Tests.EndToEnd.Drivers.KafkaDriver[0]
Error: ConfluentKafka : [rdkafka#producer-1] [OIDC] [Error] [[thrd:background]: Failed to retrieve OIDC token from "https://sso-dev.my.com/as/token.oauth2": error setting certificate file: /etc/pki/tls/certs/ca-bundle.crt (-1)]
 dbug: Data.Api.Tests.EndToEnd.Drivers.KafkaDriver[0]
Error: ntKafka : [rdkafka#producer-1] [ERROR] [Error] [[thrd:background]: Failed to acquire SASL OAUTHBEARER token: error setting certificate file: /etc/pki/tls/certs/ca-bundle.crt]
 dbug: Data.Api.Tests.EndToEnd.Drivers.KafkaDriver[0]
       ConfluentKafka : [rdkafka#producer-1] [CONNECT] [Debug] [[thrd:main]: Cluster connection already in progress: no cluster connection]

Ubuntu ca-certificates bundle not needed since the PEM is provided as string.

After trying to supply a variety of values into SslCaLocation and SslCaPem I it appears that rdkafka returns this confusing error when it is not able to find a correct certificate in any of the supplied options. Note however that the PEM is correct - the code above works on MacOS and on Windows machines.

Anyone has an idea what is wrong on Linux/Ubuntu or can advise what to check?

Checklist

Please provide the following information:

thomasnal commented 10 months ago

Anyone can help with this problem? Librdkafka unreasonably tries to set some tls certificate while it is not asked to do it. Certificate is provided as a string via ssl.ca.pem option.

Librdkafka behaves the same way in python via confluent-kafka-python.

This remains a problem.

dakodakov commented 9 months ago

Hello,

I have a similar issue and found more information and a workaround in: https://github.com/confluentinc/librdkafka/issues/3751

nhaq-confluent commented 9 months ago

@thomasnal did the workaround provided in the previous comment help at all?

thomasnal commented 7 months ago

@nhaq-confluent Yes, the link to the issue on librdkafka helped to understand the situation. The issue is due librdkafka, since it is not able handle ca.location in this case.

Kalyan-Ad-Shell commented 1 week ago

@thomasnal I am also facing the same error, Can you tell me the fix which you done for this?