search

fede1024 / rust-rdkafka

A fully asynchronous, futures-based Kafka client library for Rust based on librdkafka
MIT License
1.55k stars 261 forks source link

Failed to retrieve OIDC token from Let's Encrypt https endpoint #694

Open Syndlex opened 1 month ago

Syndlex commented 1 month ago

Hey, I don't fully know if this is correct here or if it should be in the librdkafka.

We wand to connect to a Kafka that is protected by https://github.com/strimzi/strimzi-kafka-oauth

This is the setup within the configuration:

config.set("sasl.mechanisms", "OAUTHBEARER");
config.set("sasl.oauthbearer.method", auth_config.method.to_string());
config.set("sasl.oauthbearer.client.id", auth_config.client_id.to_string());
config.set("sasl.oauthbearer.client.secret", auth_config.client_secret.to_string());
config.set("sasl.oauthbearer.token.endpoint.url", auth_config.token_endpoint_url.to_string());
config.set("enable.ssl.certificate.verification", "false");

My System uses Ubuntu 22.04

Cargo.toml is:

rdkafka = { version = "0.36.2", features = ["curl", "ssl", "gssapi", "cmake-build"] }

The Error that i get on runtime is:

Failed to retrieve OIDC token from "https://accounts.varta-ag.com/realms/varta-dev/protocol/openid-connect/token": SSL certificate problem: unable to get local issuer certificate (-1)

I thing this has to do with curl not knowing the CA Let's Encrypt certificate. But I am not fully sure. I tried setting different env Variables to configure the curl setup. I also loaded the lets encrypt cert and ca into my /etc/ssl/certs/ folder.

I found this issue but i think that is the setup against the Broker not against the token endpoint. https://github.com/confluentinc/librdkafka/issues/1814

I also found this stackoverflow where the error fits but i can not adapt any solution to rust: https://stackoverflow.com/questions/24611640/curl-60-ssl-certificate-problem-unable-to-get-local-issuer-certificate?page=2&tab=scoredesc#tab-top

Syndlex commented 1 month ago

So I figured it out.

This was just a linking Problem with cmake libcurl and OpenSSL. I use "dynamic-linking" now and installed librdkafka from confluentic.

With every other configuration I got:

(Client config error: Configuration property "sasl.oauthbearer.method" not supported in this build: OAuth/OIDC depends on libcurl and OpenSSL which were not available at build time sasl.oauthbearer.method oidc)

On my side this Issue can be closed unless @fede1024 wants to investigate this problem and needs help.