search

confluentinc / kafka-rest

Confluent REST Proxy for Kafka
https://docs.confluent.io/current/kafka-rest/docs/index.html
Other
38 stars 642 forks source link

Connecting Kafka connect REST port using https #606

Open Dwijad opened 4 years ago

Dwijad commented 4 years ago

Hi

I am running a Kafka connect distributed worker with REST port 8085 exposed in https mode. I can verify that REST port has been exposed through # netstat -pltn

Now to query REST port using curl, i have converted keystore and cacert in pem format

$ ll
-rw-r--r--. 1 kfkcmgr kfk 1809 Dec 27 04:19 ca-cert
-rw-r--r--. 1 kfkcmgr kfk  1802 Jan 22 05:43 kafka.client.keystore.jks
-rw-r--r--. 1 kfkcmgr kfk  1358 Dec 27 04:19 kafka.client.truststore.jks

### Extract client key

$ keytool -noprompt -srckeystore kafka.client.keystore.jks -importkeystore -srcalias CARoot -destkeystore kafka.client.keystore.p12 -deststoretype PKCS12 -srcstorepass Password123 -storepass Password123`
$ openssl pkcs12 -in kafka.client.keystore.p12 -chain -name worker3 -out worker3.pem -passin pass:Password123 -nodes
MAC verified OK

### Extract CA certificate

$ keytool -noprompt -keystore kafka.client.keystore.jks -exportcert -alias CARoot -rfc -file ca_cert.pem -storepass Password123
Certificate stored in file <ca_cert.pem>

Now trying to connect with curl like following:

$ curl -vvv -X GET -k -E ./worker1.pem:Password123  https://kfkwkr3:8085/
* About to connect() to kfkwkr3 port 8085 (#0)
* Trying 172.16.20.110... connected
* Connected to kfkwkr3 (172.16.20.110) port 8085 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* Unable to load client key -8178.
* NSS error -8178
* Closing connection #0
curl: (58) Unable to load client key -8178.

OR

$ curl -vvv -X GET  --cert ./cacert.pem --key ./worker1.pem:Password123 https://kfkwkr3:8085/connectors/
* About to connect() to kfkwkr3 port 8085 (#0)
*   Trying 172.16.20.110... connected
* Connected to kfkwkr3 (172.16.20.110) port 8085 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Unable to load client key -8178.
* NSS error -8178
* Closing connection #0
curl: (58) Unable to load client key -8178.

Looks like curl unable to load the key although it has been specified.

I will appreciate if anyone can point me what is the exact error in the above curl command.

Regards

Dwijad commented 4 years ago

HI Able to test Kafka connect REST endpoints with number of REST API tools with same certificate and keys. Still clueless why CURL did not worked. But anyway my problem is solved. Regards