Support self signed certificates

[hguerrero]

When connecting to cluster using TLS, the certificate might be a self-signed cert.

Today we receive an error, but there is no documentation on how to configure the cert to validate it.

[angelozerr]

I think it's the same issue than https://github.com/jlandersen/vscode-kafka/issues/86

[chonbash]

I have same problem. At #86 I didn't find solution.

[hguerrero]

86 still open and tries to address SASL_SSL, so I guess it should fix the usage of any TLS endpoint. However, I suggest using this issue to track the specifics of using self-signed certs within any TLS type of config.

[angelozerr]

I have same problem. At #86 I didn't find solution.

Yes sure, it's just some discussion. The issue which implements the idea with certificate (and another configuration) is https://github.com/jlandersen/vscode-kafka/issues/88

But please note if you have the capability to write a vscode extension, you can contribute to vscode-kafka with your cluster configuration. You extension could create the proper kafka config with the proper certificate https://kafka.js.org/docs/configuration#ssl

If you are interested to write your own vscode extension, please see the sample at https://github.com/angelozerr/vscode-kafka-extension-sample/blob/f3470cb0ab8777085e256571eeecc20fd77a7a83/src/extension.ts#L106

For the moment, there is no a robust documentation,please add comment in https://github.com/jlandersen/vscode-kafka/issues/129 if you need a documentation.

However, I suggest using this issue to track the specifics of using self-signed certs within any TLS type of config.

Ok thanks for your suggestion.

[fbricon]

@hguerrero can you try the CI build from https://github.com/jlandersen/vscode-kafka/actions/runs/987534310 and give some feedback?

[angelozerr]

@hguerrero please note that there is a bug with ca, cert, key file save settings. Once you have selected the file, please add a space and remove a space on each file fields before saving. I'm fixing that.

[hguerrero]

Sure, I'll give it a try

[hguerrero]

Hey, @angelozerr what type of file do I need to get for the certificate authority? right now I tried, crt, pem, and keystore but I'm not able to select any using the browse button.

[angelozerr]

Its a mistake that i did. I need to add another file extensions. Please use the expected file extension for the moment by renaming your file extension. I will fix that soon

[hguerrero]

Ok, adding the full path in the textbox worked.

Awesome work folks!

I was able to connect with no trouble

[fbricon]

@hguerrero was your certificate self-signed?

[hguerrero]

Yes, it was @fbricon

[fbricon]

Cool, thanks. FYI, @angelozerr has made some more improvements to the proposed changes, including fixing the file browsing. You can try a newer build from https://github.com/jlandersen/vscode-kafka/actions/runs/994037689

[hguerrero]

@fbricon I tested the new version, but unfortunately is not working.

Looks like when using the browse button:

• I can now select my file
• The file does not show in the textbox
• When I click on Finish the server is created but the cert is not linked

So, when trying to connect to my cluster I still get the self-signed cert error.

If I add manually the path in the textbox, as I did with the previous version it works.

[fbricon]

@hguerrero what OS are you on?

[fbricon]

@hguerrero have you tried the latest build from https://github.com/jlandersen/vscode-kafka/actions/workflows/ci.yml?query=is%3Asuccess ?

[hguerrero]

@hguerrero what OS are you on?

MacOS Big Sur v11.4

[hguerrero]

@hguerrero have you tried the latest build from https://github.com/jlandersen/vscode-kafka/actions/workflows/ci.yml?query=is%3Asuccess ?

No, used the 6days old, let me try with the one from 1hr ago.

[hguerrero]

Ok, I can confirm that the latest build (700) worked correctly.

[fbricon]

Fixed with #193

[kasperschnack]

Hi guys! First of all, thank you for making kafka available in vs code. I'm really looking forward to ditching the expensive conduktor I have to use through VNC. However I'm getting this error as well. I might have more than just this issue though - not sure:

1. I have this issue and I don't understand how I'm supposed to fix it
2. In conduktor I simply have to point to my truststore.jks file. I converted it using this method. However this only creates a single PEM file. And I'm prompted for three different files in your setup:

not really sure which one to pick or if I'm missing files? Any help would be greatly appreciated! <3

I'm on Windows 10 Enterprise with a remote to a VM running Ubuntu 18.04.4 LTS btw :)

[angelozerr]

@kasperschnack to be honnest with you, I have none knowledge about JKS, etc. I have just consumed the kafkajs API and the expected tls ConnectionOptions :

https://github.com/jlandersen/vscode-kafka/blob/06b74ed03a57c73b2daec4a60a3dfd76145c039e/src/client/client.ts#L491

If it requires some changes, any feedback are welcome, thanks!

[IvanKostyuk]

Cannot connect using v0.15.0 Cannot find old build for v0.13.0

[IvanKostyuk]

The certificate I issued does not have correct hostnames, more than that, I'm playing with cluster of 3 brokers. Need to have ability to bypass host validation.

Failed operation - Connection error: Hostname/IP does not match certificate's altnames: IP: is not in the cert's list

[fbricon]

To install a prior version: