Using ssl.certificate.pem does not send the full ca-chain

[sunnybenari]

Description

When using ssl.certificate.pem configuration the client doesn't send the full chain. Note: ssl.certificate.location sends the full chain

How to reproduce

Run producer/consumer where ssl.ca.location has only the Root CA and set ssl.certificate.pem with the full chain.

Logs:

From .NET client (proxy from librdkafka)

Confluent.Kafka.ProduceException`2[System.String,System.String]: Broker: Topic authorization failed
   at Confluent.Kafka.Producer`2.Produce(TopicPartition topicPartition, Message`2 message, Action`1 deliveryHandler)
   at Confluent.Kafka.Producer`2.Produce(String topic, Message`2 message, Action`1 deliveryHandler)

Checklist

Please provide the following information:

• [x] dot-net v1.5.3 (librdkafka - v1.5.3 )
• [x] Apache Kafka version: 2.6.0
• [x] librdkafka client configuration
• [x] Operating system: macOS Big sur 11.1
• [x] Provide logs (with debug=.. as necessary) from librdkafka
• [ ] Provide broker log excerpts
• [x] Critical issue - No

[cactus620]

We met the same issue here. We're using the library of version 2.1.1. And our ssl.certificate.pem content is in the format like below:

-----BEGIN CERTIFICATE-----
(Base64-encoded certificate data for the client certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Base64-encoded certificate data for the intermediate CA)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Base64-encoded certificate data for the root CA)
-----END CERTIFICATE-----

We've tried to capture the packages sent using Wireshark. Only the first block of the client certificate was sent. The intermediate CA and root CA were not sent. Please kindly help to review the issue.

[trnguyencflt]

Encounter the same issue when using ssl.keystore.location, only the leaf certificate is sent to server.

[abhijeet2096-confluent]

Hiting this issue in confluent-operator