FlorianSW
commented
4 years ago Closing, sorry for the disturbance here. The issue was a result of an error by me. As said, the broker requires client-certificate authentication. However, I had the cert as a PEM file without the chain. The server expects a specific root CA, the cert was issued by one of the intermediate ones. The java kafka client seems to present whatever cert I put in, the go client (this proxy) seems to be more strict and does not present the cert, as it was not issued by the root CA, as requested by the server. Putting in the whole certificate chain into the PEM worked and I can now connect to the proxy, which will forward the requests to the kafka broker :)
I want to use this proxy to terminate TLS from the kafka brokers on the proxy (including client authentication with a key file) and connect from the application via plaintext. However, when running the proxy with the following command:
./kafka-proxy server --bootstrap-server-mapping "kafka1.example.com:19093,127.0.0.1:32500" --bootstrap-server-mapping "kafka2.example.com:19093,127.0.0.1:32501" --bootstrap-server-mapping "kafka3.example.com:19093,127.0.0.1:32502" --tls-insecure-skip-verify --tls-enable --tls-client-cert-file ./cert.pem --tls-client-key-file ./key.pemHowever, whenever I try to connect from the java application, the proxy disconnects from the host with the following error message:
I'm not sure, what I do wrong, or probably I misunderstood the parameters here, can you help?