Closed saloni-2404 closed 3 years ago
Can you describe how did you created the keystore and truststore files?
Pasting them as used:
kubectl get secrets -n kafka-saloni-test my-cluster1-cluster-ca-cert -o jsonpath='{.data.ca.crt}' | base64 -id > ca.crt
keytool \ -import \ -file ca.crt \ -keystore client.truststore.p12 \ -alias ca \ -storepass 1234567 \ -noprompt
kubectl cp client.truststore.p12 -n kafka-saloni-test my-cluster1-kafka-0:/tmp
kubectl get secrets -n kafka-saloni-test my-user5 -o jsonpath='{.data.user.crt}' | base64 -id > user.crt
kubectl get secrets -n kafka-saloni-test my-user5 -o jsonpath='{.data.user.key}' | base64 -id > user.key
openssl pkcs12 -export -in user.crt -inkey user.key -name user.p12 -password pass:1234567 -out producer.p12
keytool -importkeystore -alias user.p12 -deststorepass 1234567 -destkeystore producer.keystore.p12 -srcstorepass 1234567 \ -srckeystore producer.p12 -srcstoretype PKCS12 -deststoretype PKCS12
kubectl cp producer.keystore.p12 -n kafka-saloni-test my-cluster1-kafka-0:/tmp
kubectl get secrets -n kafka-saloni-test my-user4 -o jsonpath='{.data.user.crt}' | base64 -id > user.crt
kubectl get secrets -n kafka-saloni-test my-user4 -o jsonpath='{.data.user.key}' | base64 -id > user.key
openssl pkcs12 -export -in user.crt -inkey user.key -name user.p12 -password pass:1234567 -out consumer.p12
keytool -importkeystore -alias user.p12 -deststorepass 1234567 -destkeystore consumer.keystore.p12 -srcstorepass 1234567 \ -srckeystore consumer.p12 -srcstoretype PKCS12 -deststoretype PKCS12
kubectl cp consumer.keystore.p12 -n kafka-saloni-test my-cluster1-kafka-0:/tmp
The error from the application basically says it cannot read the truststore. The command looks fine on the first look. But I wonder if you need to ass there the type as well ... something like -storetype PKCS12
. MAybe you should give it a try, I do not think the keytool will detect the storetype just from the file extension so it will probably have JKS format..
ok let me try this and let you know how that goes keytool -importkeystore -alias user.p12 -deststorepass 1234567 -destkeystore producer.keystore.p12 -srcstorepass 1234567 \ -srckeystore producer.p12 -srcstoretype PKCS12 -deststoretype PKCS12 -storetype PKCS12
I meant it mainly for the first command since that is where it was failing right now. For the keystores, the p12 files produced by openssl
should work fine.
This helped! Thanks a lot.. keytool \ -import \ -file ca.crt \ -keystore client.truststore.p12 \ -alias ca \ -storepass 1234567 \ -noprompt \ -storetype PKCS12
Great, glad it helped. Can we close this if it works now?
Yes sure! Thanks :) :)
Here is my Kafka.yaml: kafkaYaml: |-
My kafka-user.yaml:
kafkauserYaml: |-
Other user: kafkauserYaml: |-
Using my-user5 for producer, my-user6 for consumer,
Have run following commands after copying certs:
Unable to produce/consume. Error: