Closed thomasnal closed 5 months ago
For cleanliness, I've edited code in the issue to better show the use of certifi path to certificates so that potential doubts about the path are satisfied.
After I compiled confluent-kafka-python from source the connect succeeds,
...
%7|1704900329.560|STATE|rdkafka#producer-1| [thrd:sasl_ssl://pkc-poxg5.westeurope.azure.confluent.cloud:9092/boot]: sasl_ssl://pkc-poxg5.westeurope.azure.confluent.cloud:9092/bootstrap: Broker changed state INIT -> TRY_CONNECT
%7|1704900329.702|BRKMAIN|rdkafka#producer-1| [thrd:background]: Waking up waiting broker threads after setting OAUTHBEARER token
%7|1704900329.702|WAKEUP|rdkafka#producer-1| [thrd:background]: Wake-up sent to 1 broker thread in state >= TRY_CONNECT: OAUTHBEARER token update
%7|1704900329.702|CONNECT|rdkafka#producer-1| [thrd:sasl_ssl://pkc-poxg5.westeurope.azure.confluent.cloud:9092/boot]: sasl_ssl://pkc-poxg5.westeurope.azure.confluent.cloud:9092/bootstrap: broker in state TRY_CONNECT connecting
%7|1704900329.702|STATE|rdkafka#producer-1| [thrd:sasl_ssl://pkc-poxg5.westeurope.azure.confluent.cloud:9092/boot]: sasl_ssl://pkc-poxg5.westeurope.azure.confluent.cloud:9092/bootstrap: Broker changed state TRY_CONNECT -> CONNECT
...
brew install librdkafka
C_INCLUDE_PATH=/opt/homebrew/Cellar/librdkafka/2.3.0/include/
pip install --no-binary confluent-kafka confluent-kafka
Can anyone explain and update the released wheel?
Most likely related to https://github.com/confluentinc/librdkafka/issues/3751
Most likely related to confluentinc/librdkafka#3751
🥇 thank you so much for pointing this out. this is very much the issue. it helps heaps, I understand the underlaying design and the issue so that I can create a workaround for the systems where it is failing.
Yeah, I also did a similar workaround on my side.
Moved OIDC logic to a separate compilation unit, added additional ssl location for oauthbearer with three options (inherit, system, specific path) and used it with a custom Oautbearer callback implementation to include a modification not to decode tokens if expires_in is present - https://github.com/confluentinc/librdkafka/issues/4242
Description
I have a problem authenticating Kafka client because rdkafka fails to retrieve OIDC token with error
SSL certificate problem: self-signed certificate in certificate chain (-1)
.Issue with this error is supposed to be remedied by using correct cacerts, e.g. from 'certifi' package, or from OS `/etc/ssl/cert.pem', it has been reported in other bug reports. I can replicate this error in an HTTPS request made in Python using requests package and the token endpoint. Providing cacert to the requests package from certifi solves the error in requests. However, when I ask rdkafka to use the same cacert file, rdkafka remains stuck with the error.
Note the
ssl.ca.location
, the error remains using either cert file from certifi or/etc/ssl/cert.pem
. The error remains even when using the certificate provided viassl.ca.pem
option.Further atttempts with options
enable.ssl.certificate.verification
:false
andssl.endpoint.identification.algorithm
:none
leave rdkafka stuck with the same error too. At this point, it appears rdkafka ignores the provided options.Using .NET confluent kafka with the same token endpoint on the same machine works without an issue. Works in all cases such as providing cert as value in
ssl.ca.pem
option.What can I do to get rdkafka called from Python successfully retrieve the token without the error?
How to reproduce
Output:
Checklist
Please provide the following information:
confluent_kafka.version()
andconfluent_kafka.libversion()
):Darwin 22.6.0 arm64
'debug': '..'
as necessary)