search

provectus / kafka-ui

Open-Source Web UI for Apache Kafka Management
Apache License 2.0
9.81k stars 1.19k forks source link

Support SSL for schema registry #930

Closed Haarolean closed 2 years ago

Haarolean commented 3 years ago

https://news.ycombinator.com/item?id=28722315

If a schema registry uses a self-signed certificate (or one signed by a corporation's CA), there's no way to pass the certificate through a config or skip validation (Kowl's relevant config [3]). As it is, you get a 500 error in the API call, but the UI doesn't show an error

whatsupbros commented 2 years ago

@Haarolean, are there probably any news about this issue? We are using mTLS for our Schema Registry together with Basic Auth in our Kafka Clusters, and I didn't manage to configure SSL connection to it for my kafka-ui instance..

What I already tried:

Attempt 1: SSL properties inherited from brokers connection?

      KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: broker:9093
      KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL: SASL_SSL
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_LOCATION: /path/to/truststore.jks
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_PASSWORD: secret
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_LOCATION: /path/to/keystore.jks
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_PASSWORD: secret
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEY_PASSWORD: secret
      KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM: PLAIN
      KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG: 'org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin_secret";'
      KAFKA_CLUSTERS_0_SCHEMAREGISTRY: schema-registry:8081
      KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_USERNAME: admin
      KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_PASSWORD: admin_secret

Attempt 2: SSL properties in the same manner as for brokers connection?

      KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: broker:9093
      KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL: SASL_SSL
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_LOCATION: /path/to/truststore.jks
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_PASSWORD: secret
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_LOCATION: /path/to/keystore.jks
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_PASSWORD: secret
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEY_PASSWORD: secret
      KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM: PLAIN
      KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG: 'org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin_secret";'
      KAFKA_CLUSTERS_0_SCHEMAREGISTRY: schema-registry:8081
      KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_USERNAME: admin
      KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_PASSWORD: admin_secret
      KAFKA_CLUSTERS_0_SCHEMAREGISTRY_PROPERTIES_SSL_TRUSTSTORE_LOCATION: /path/to/truststore.jks
      KAFKA_CLUSTERS_0_SCHEMAREGISTRY_PROPERTIES_SSL_TRUSTSTORE_PASSWORD: secret
      KAFKA_CLUSTERS_0_SCHEMAREGISTRY_PROPERTIES_SSL_KEYSTORE_LOCATION: /path/to/keystore.jks
      KAFKA_CLUSTERS_0_SCHEMAREGISTRY_PROPERTIES_SSL_KEYSTORE_PASSWORD: secret
      KAFKA_CLUSTERS_0_SCHEMAREGISTRY_PROPERTIES_SSL_KEY_PASSWORD: secret

Attempt 3: Maybe without PROPERTIES prefix?

      KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: broker:9093
      KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL: SASL_SSL
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_LOCATION: /path/to/truststore.jks
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_PASSWORD: secret
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_LOCATION: /path/to/keystore.jks
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_PASSWORD: secret
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEY_PASSWORD: secret
      KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM: PLAIN
      KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG: 'org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin_secret";'
      KAFKA_CLUSTERS_0_SCHEMAREGISTRY: https://schema-registry:8081
      KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_USERNAME: admin
      KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_PASSWORD: admin_secret
      KAFKA_CLUSTERS_0_SCHEMAREGISTRY_SSL_TRUSTSTORE_LOCATION: /path/to/truststore.jks
      KAFKA_CLUSTERS_0_SCHEMAREGISTRY_SSL_TRUSTSTORE_PASSWORD: secret
      KAFKA_CLUSTERS_0_SCHEMAREGISTRY_SSL_KEYSTORE_LOCATION: /path/to/keystore.jks
      KAFKA_CLUSTERS_0_SCHEMAREGISTRY_SSL_KEYSTORE_PASSWORD: secret
      KAFKA_CLUSTERS_0_SCHEMAREGISTRY_SSL_KEY_PASSWORD: secret

But nothing worked, I always get the same result, which is such an exception:

kafka-ui  | ERROR [reactor-http-epoll-5] c.p.k.u.s.SchemaRegistryService: Unexpected error
kafka-ui  | org.springframework.web.reactive.function.client.WebClientRequestException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
kafka-ui  |     at org.springframework.web.reactive.function.client.ExchangeFunctions$DefaultExchangeFunction.lambda$wrapException$9(ExchangeFunctions.java:141)
kafka-ui  |     Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
kafka-ui  | Error has been observed at the following site(s):
kafka-ui  |     *__checkpoint ⇢ Request to GET https://schema-registry:8081/subjects [DefaultWebClient]
kafka-ui  | Stack trace:
kafka-ui  |             at org.springframework.web.reactive.function.client.ExchangeFunctions$DefaultExchangeFunction.lambda$wrapException$9(ExchangeFunctions.java:141)
kafka-ui  |             at reactor.core.publisher.MonoErrorSupplied.subscribe(MonoErrorSupplied.java:55)
kafka-ui  |             at reactor.core.publisher.Mono.subscribe(Mono.java:4399)
kafka-ui  |             at reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onError(FluxOnErrorResume.java:103)
kafka-ui  |             at reactor.core.publisher.FluxPeek$PeekSubscriber.onError(FluxPeek.java:222)
kafka-ui  |             at reactor.core.publisher.FluxPeek$PeekSubscriber.onError(FluxPeek.java:222)
kafka-ui  |             at reactor.core.publisher.FluxPeek$PeekSubscriber.onError(FluxPeek.java:222)
kafka-ui  |             at reactor.core.publisher.MonoNext$NextSubscriber.onError(MonoNext.java:93)
kafka-ui  |             at reactor.core.publisher.MonoFlatMapMany$FlatMapManyMain.onError(MonoFlatMapMany.java:204)
kafka-ui  |             at reactor.core.publisher.SerializedSubscriber.onError(SerializedSubscriber.java:124)
kafka-ui  |             at reactor.core.publisher.FluxRetryWhen$RetryWhenMainSubscriber.whenError(FluxRetryWhen.java:225)
kafka-ui  |             at reactor.core.publisher.FluxRetryWhen$RetryWhenOtherSubscriber.onError(FluxRetryWhen.java:274)
kafka-ui  |             at reactor.core.publisher.FluxConcatMap$ConcatMapImmediate.drain(FluxConcatMap.java:414)
kafka-ui  |             at reactor.core.publisher.FluxConcatMap$ConcatMapImmediate.onNext(FluxConcatMap.java:251)
kafka-ui  |             at reactor.core.publisher.EmitterProcessor.drain(EmitterProcessor.java:491)
kafka-ui  |             at reactor.core.publisher.EmitterProcessor.tryEmitNext(EmitterProcessor.java:299)
kafka-ui  |             at reactor.core.publisher.SinkManySerialized.tryEmitNext(SinkManySerialized.java:100)
kafka-ui  |             at reactor.core.publisher.InternalManySink.emitNext(InternalManySink.java:27)
kafka-ui  |             at reactor.core.publisher.FluxRetryWhen$RetryWhenMainSubscriber.onError(FluxRetryWhen.java:190)
kafka-ui  |             at reactor.core.publisher.MonoCreate$DefaultMonoSink.error(MonoCreate.java:194)
kafka-ui  |             at reactor.netty.http.client.HttpClientConnect$MonoHttpConnect$ClientTransportSubscriber.onError(HttpClientConnect.java:304)
kafka-ui  |             at reactor.core.publisher.MonoCreate$DefaultMonoSink.error(MonoCreate.java:194)
kafka-ui  |             at reactor.netty.resources.DefaultPooledConnectionProvider$DisposableAcquire.onUncaughtException(DefaultPooledConnectionProvider.java:218)
kafka-ui  |             at reactor.netty.resources.DefaultPooledConnectionProvider$PooledConnection.onUncaughtException(DefaultPooledConnectionProvider.java:467)
kafka-ui  |             at reactor.netty.channel.ChannelOperationsHandler.exceptionCaught(ChannelOperationsHandler.java:129)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:302)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:281)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.fireExceptionCaught(AbstractChannelHandlerContext.java:273)
kafka-ui  |             at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireExceptionCaught(CombinedChannelDuplexHandler.java:424)
kafka-ui  |             at io.netty.channel.ChannelHandlerAdapter.exceptionCaught(ChannelHandlerAdapter.java:92)
kafka-ui  |             at io.netty.channel.CombinedChannelDuplexHandler$1.fireExceptionCaught(CombinedChannelDuplexHandler.java:145)
kafka-ui  |             at io.netty.channel.ChannelInboundHandlerAdapter.exceptionCaught(ChannelInboundHandlerAdapter.java:143)
kafka-ui  |             at io.netty.channel.CombinedChannelDuplexHandler.exceptionCaught(CombinedChannelDuplexHandler.java:231)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:302)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:281)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.fireExceptionCaught(AbstractChannelHandlerContext.java:273)
kafka-ui  |             at reactor.netty.tcp.SslProvider$SslReadHandler.userEventTriggered(SslProvider.java:834)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:346)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:332)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.fireUserEventTriggered(AbstractChannelHandlerContext.java:324)
kafka-ui  |             at io.netty.handler.ssl.SslHandler.handleUnwrapThrowable(SslHandler.java:1259)
kafka-ui  |             at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1240)
kafka-ui  |             at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1284)
kafka-ui  |             at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
kafka-ui  |             at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
kafka-ui  |             at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
kafka-ui  |             at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
kafka-ui  |             at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
kafka-ui  |             at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
kafka-ui  |             at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$1.run(AbstractEpollChannel.java:425)
kafka-ui  |             at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164)
kafka-ui  |             at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:469)
kafka-ui  |             at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:384)
kafka-ui  |             at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
kafka-ui  |             at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
kafka-ui  |             at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
kafka-ui  |             at java.base/java.lang.Thread.run(Thread.java:830)
kafka-ui  | Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
kafka-ui  |     at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
kafka-ui  |     at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:325)
kafka-ui  |     at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:268)
kafka-ui  |     at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
kafka-ui  |     at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
kafka-ui  |     at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
kafka-ui  |     at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
kafka-ui  |     at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
kafka-ui  |     at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:445)
kafka-ui  |     at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260)
kafka-ui  |     at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1247)
kafka-ui  |     at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)
kafka-ui  |     at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1192)
kafka-ui  |     at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1548)
kafka-ui  |     at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1394)
kafka-ui  |     at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235)
kafka-ui  |     at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1284)
kafka-ui  |     at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
kafka-ui  |     at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
kafka-ui  |     at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
kafka-ui  |     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
kafka-ui  |     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
kafka-ui  |     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
kafka-ui  |     at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
kafka-ui  |     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
kafka-ui  |     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
kafka-ui  |     at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
kafka-ui  |     at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
kafka-ui  |     at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$1.run(AbstractEpollChannel.java:425)
kafka-ui  |     at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164)
kafka-ui  |     at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:469)
kafka-ui  |     at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:384)
kafka-ui  |     at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
kafka-ui  |     at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
kafka-ui  |     at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
kafka-ui  |     at java.base/java.lang.Thread.run(Thread.java:830)
kafka-ui  | Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
kafka-ui  |     at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:438)
kafka-ui  |     at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:305)
kafka-ui  |     at java.base/sun.security.validator.Validator.validate(Validator.java:264)
kafka-ui  |     at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
kafka-ui  |     at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
kafka-ui  |     at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)
kafka-ui  |     ... 31 common frames omitted
kafka-ui  | Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
kafka-ui  |     at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
kafka-ui  |     at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
kafka-ui  |     at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
kafka-ui  |     at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:433)
kafka-ui  |     ... 36 common frames omitted

The most important part: 

kafka-ui  | org.springframework.web.reactive.function.client.WebClientRequestException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
whatsupbros commented 2 years ago

The same question applies to the Kafka Connect connection - how do I configure SSL connection to Kafka Connect Workers?

      KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: broker:9093
      KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL: SASL_SSL
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_LOCATION: /path/to/truststore.jks
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_PASSWORD: secret
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_LOCATION: /path/to/keystore.jks
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_PASSWORD: secret
      KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEY_PASSWORD: secret
      KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM: PLAIN
      KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG: 'org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin_secret";'
      KAFKA_CLUSTERS_0_KAFKACONNECT_0_NAME: connect-1
      KAFKA_CLUSTERS_0_KAFKACONNECT_0_ADDRESS: https://kafka-connect:8083

Such configuration leads to the same issue as of now:

kafka-ui  |     at org.springframework.web.reactive.function.client.ExchangeFunctions$DefaultExchangeFunction.lambda$wrapException$9(ExchangeFunctions.java:141)
kafka-ui  |     Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
kafka-ui  | Error has been observed at the following site(s):
kafka-ui  |     *__checkpoint ⇢ Request to GET https://kafka-connect:8083/connectors [DefaultWebClient]
kafka-ui  |     *__checkpoint ⇢ Handler com.provectus.kafka.ui.controller.KafkaConnectController#getAllConnectors(String, String, ServerWebExchange) [DispatcherHandler]
kafka-ui  |     *__checkpoint ⇢ com.provectus.kafka.ui.config.CustomWebFilter [DefaultWebFilterChain]
kafka-ui  |     *__checkpoint ⇢ com.provectus.kafka.ui.config.ReadOnlyModeFilter [DefaultWebFilterChain]
kafka-ui  |     *__checkpoint ⇢ org.springframework.security.web.server.authorization.AuthorizationWebFilter [DefaultWebFilterChain]
kafka-ui  |     *__checkpoint ⇢ org.springframework.security.web.server.authorization.ExceptionTranslationWebFilter [DefaultWebFilterChain]
kafka-ui  |     *__checkpoint ⇢ org.springframework.security.web.server.authentication.logout.LogoutWebFilter [DefaultWebFilterChain]
kafka-ui  |     *__checkpoint ⇢ org.springframework.security.web.server.savedrequest.ServerRequestCacheWebFilter [DefaultWebFilterChain]
kafka-ui  |     *__checkpoint ⇢ org.springframework.security.web.server.context.SecurityContextServerWebExchangeWebFilter [DefaultWebFilterChain]
kafka-ui  |     *__checkpoint ⇢ org.springframework.security.web.server.context.ReactorContextWebFilter [DefaultWebFilterChain]
kafka-ui  |     *__checkpoint ⇢ org.springframework.security.web.server.header.HttpHeaderWriterWebFilter [DefaultWebFilterChain]
kafka-ui  |     *__checkpoint ⇢ org.springframework.security.config.web.server.ServerHttpSecurity$ServerWebExchangeReactorContextWebFilter [DefaultWebFilterChain]
kafka-ui  |     *__checkpoint ⇢ org.springframework.security.web.server.WebFilterChainProxy [DefaultWebFilterChain]
kafka-ui  |     *__checkpoint ⇢ org.springframework.boot.actuate.metrics.web.reactive.server.MetricsWebFilter [DefaultWebFilterChain]
kafka-ui  |     *__checkpoint ⇢ HTTP GET "/api/clusters/cluster-1/connectors?search=" [ExceptionHandlingWebHandler]
kafka-ui  | Stack trace:
kafka-ui  |             at org.springframework.web.reactive.function.client.ExchangeFunctions$DefaultExchangeFunction.lambda$wrapException$9(ExchangeFunctions.java:141)
kafka-ui  |             at reactor.core.publisher.MonoErrorSupplied.subscribe(MonoErrorSupplied.java:55)
kafka-ui  |             at reactor.core.publisher.Mono.subscribe(Mono.java:4399)
kafka-ui  |             at reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onError(FluxOnErrorResume.java:103)
kafka-ui  |             at reactor.core.publisher.FluxPeek$PeekSubscriber.onError(FluxPeek.java:222)
kafka-ui  |             at reactor.core.publisher.FluxPeek$PeekSubscriber.onError(FluxPeek.java:222)
kafka-ui  |             at reactor.core.publisher.FluxPeek$PeekSubscriber.onError(FluxPeek.java:222)
kafka-ui  |             at reactor.core.publisher.MonoNext$NextSubscriber.onError(MonoNext.java:93)
kafka-ui  |             at reactor.core.publisher.MonoFlatMapMany$FlatMapManyMain.onError(MonoFlatMapMany.java:204)
kafka-ui  |             at reactor.core.publisher.SerializedSubscriber.onError(SerializedSubscriber.java:124)
kafka-ui  |             at reactor.core.publisher.FluxRetryWhen$RetryWhenMainSubscriber.whenError(FluxRetryWhen.java:225)
kafka-ui  |             at reactor.core.publisher.FluxRetryWhen$RetryWhenOtherSubscriber.onError(FluxRetryWhen.java:274)
kafka-ui  |             at reactor.core.publisher.FluxConcatMap$ConcatMapImmediate.drain(FluxConcatMap.java:414)
kafka-ui  |             at reactor.core.publisher.FluxConcatMap$ConcatMapImmediate.onNext(FluxConcatMap.java:251)
kafka-ui  |             at reactor.core.publisher.EmitterProcessor.drain(EmitterProcessor.java:491)
kafka-ui  |             at reactor.core.publisher.EmitterProcessor.tryEmitNext(EmitterProcessor.java:299)
kafka-ui  |             at reactor.core.publisher.SinkManySerialized.tryEmitNext(SinkManySerialized.java:100)
kafka-ui  |             at reactor.core.publisher.InternalManySink.emitNext(InternalManySink.java:27)
kafka-ui  |             at reactor.core.publisher.FluxRetryWhen$RetryWhenMainSubscriber.onError(FluxRetryWhen.java:190)
kafka-ui  |             at reactor.core.publisher.MonoCreate$DefaultMonoSink.error(MonoCreate.java:194)
kafka-ui  |             at reactor.netty.http.client.HttpClientConnect$MonoHttpConnect$ClientTransportSubscriber.onError(HttpClientConnect.java:304)
kafka-ui  |             at reactor.core.publisher.MonoCreate$DefaultMonoSink.error(MonoCreate.java:194)
kafka-ui  |             at reactor.netty.resources.DefaultPooledConnectionProvider$DisposableAcquire.onUncaughtException(DefaultPooledConnectionProvider.java:218)
kafka-ui  |             at reactor.netty.resources.DefaultPooledConnectionProvider$PooledConnection.onUncaughtException(DefaultPooledConnectionProvider.java:467)
kafka-ui  |             at reactor.netty.channel.ChannelOperationsHandler.exceptionCaught(ChannelOperationsHandler.java:129)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:302)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:281)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.fireExceptionCaught(AbstractChannelHandlerContext.java:273)
kafka-ui  |             at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireExceptionCaught(CombinedChannelDuplexHandler.java:424)
kafka-ui  |             at io.netty.channel.ChannelHandlerAdapter.exceptionCaught(ChannelHandlerAdapter.java:92)
kafka-ui  |             at io.netty.channel.CombinedChannelDuplexHandler$1.fireExceptionCaught(CombinedChannelDuplexHandler.java:145)
kafka-ui  |             at io.netty.channel.ChannelInboundHandlerAdapter.exceptionCaught(ChannelInboundHandlerAdapter.java:143)
kafka-ui  |             at io.netty.channel.CombinedChannelDuplexHandler.exceptionCaught(CombinedChannelDuplexHandler.java:231)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:302)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:281)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.fireExceptionCaught(AbstractChannelHandlerContext.java:273)
kafka-ui  |             at reactor.netty.tcp.SslProvider$SslReadHandler.userEventTriggered(SslProvider.java:834)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:346)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:332)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.fireUserEventTriggered(AbstractChannelHandlerContext.java:324)
kafka-ui  |             at io.netty.handler.ssl.SslHandler.handleUnwrapThrowable(SslHandler.java:1259)
kafka-ui  |             at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1240)
kafka-ui  |             at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1284)
kafka-ui  |             at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
kafka-ui  |             at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
kafka-ui  |             at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
kafka-ui  |             at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
kafka-ui  |             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
kafka-ui  |             at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
kafka-ui  |             at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
kafka-ui  |             at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$1.run(AbstractEpollChannel.java:425)
kafka-ui  |             at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164)
kafka-ui  |             at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:469)
kafka-ui  |             at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:384)
kafka-ui  |             at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
kafka-ui  |             at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
kafka-ui  |             at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
kafka-ui  |             at java.base/java.lang.Thread.run(Thread.java:830)
kafka-ui  | Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
kafka-ui  |     at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
kafka-ui  |     at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:325)
kafka-ui  |     at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:268)
kafka-ui  |     at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
kafka-ui  |     at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
kafka-ui  |     at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
kafka-ui  |     at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
kafka-ui  |     at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
kafka-ui  |     at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:445)
kafka-ui  |     at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260)
kafka-ui  |     at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1247)
kafka-ui  |     at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)
kafka-ui  |     at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1192)
kafka-ui  |     at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1548)
kafka-ui  |     at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1394)
kafka-ui  |     at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235)
kafka-ui  |     at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1284)
kafka-ui  |     at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
kafka-ui  |     at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
kafka-ui  |     at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
kafka-ui  |     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
kafka-ui  |     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
kafka-ui  |     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
kafka-ui  |     at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
kafka-ui  |     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
kafka-ui  |     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
kafka-ui  |     at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
kafka-ui  |     at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
kafka-ui  |     at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$1.run(AbstractEpollChannel.java:425)
kafka-ui  |     at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164)
kafka-ui  |     at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:469)
kafka-ui  |     at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:384)
kafka-ui  |     at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
kafka-ui  |     at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
kafka-ui  |     at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
kafka-ui  |     at java.base/java.lang.Thread.run(Thread.java:830)
kafka-ui  | Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
kafka-ui  |     at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:438)
kafka-ui  |     at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:305)
kafka-ui  |     at java.base/sun.security.validator.Validator.validate(Validator.java:264)
kafka-ui  |     at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
kafka-ui  |     at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
kafka-ui  |     at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)
kafka-ui  |     ... 31 common frames omitted
kafka-ui  | Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
kafka-ui  |     at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
kafka-ui  |     at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
kafka-ui  |     at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
kafka-ui  |     at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:433)
kafka-ui  |     ... 36 common frames omitted
maka4h commented 2 years ago

Any news about this? Any plan to fix?

Haarolean commented 2 years ago

Any news about this? Any plan to fix?

yeah, once we get enough bandwidth

djboris9 commented 2 years ago

Working on it in PR https://github.com/provectus/kafka-ui/pull/2832