[Question/Help] ...Getting SSL_ERROR_RX_RECORD_TOO_LONG when attempting https endpoint from Strimzi/Kafka Connect

[gvenkatx]

Any help/pointer on this is much appreciated

[kafka@my-connect-cluster-connect-7795d65d9d-wknn4 kafka]$ curl -svo/dev/null -u admin -X GET 'https://dev68601.service-now.com/api/now/table/cmdb_ci_appl?sysparm_limit=1'
Enter host password for user 'admin':
* About to connect() to dev68601.service-now.com port 443 (#0)
*   Trying 149.96.5.118...
* Connected to dev68601.service-now.com (149.96.5.118) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Closing connection 0

[scholzj]

Sorry, but I'm not sure I follow the problem. I don't think anyone from Strimzi knows anything about ServiceNow. For me it seems to work fine (apart from not having the right password):

[kafka@my-cluster-zookeeper-0 kafka]$ curl -v -svo/dev/null -u admin -X GET 'https://dev68601.service-now.com/api/now/table/cmdb_ci_appl?sysparm_limit=1'
Enter host password for user 'admin':
* About to connect() to dev68601.service-now.com port 443 (#0)
*   Trying 149.96.5.118...
* Connected to dev68601.service-now.com (149.96.5.118) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*   subject: CN=*.service-now.com,O="ServiceNow, Inc.",L=San Diego,ST=California,C=US
*   start date: Jul 22 23:55:53 2020 GMT
*   expire date: Apr 01 23:55:53 2021 GMT
*   common name: *.service-now.com
*   issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
* Server auth using Basic with user 'admin'
> GET /api/now/table/cmdb_ci_appl?sysparm_limit=1 HTTP/1.1
> Authorization: Basic YWRtaW46ZGZzc2Roc2RzZmhmaA==
> User-Agent: curl/7.29.0
> Host: dev68601.service-now.com
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Set-Cookie: JSESSIONID=2E2B82F1CE3E8790797B3B3B692724CA; Path=/; HttpOnly;Secure
* Authentication problem. Ignoring this.
< WWW-Authenticate: BASIC realm="Service-now"
< Pragma: no-store,no-cache
< Cache-control: no-cache,no-store,must-revalidate,max-age=-1
< Expires: 0
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Mon, 30 Nov 2020 18:59:01 GMT
< Server: ServiceNow
< Set-Cookie: BIGipServerpool_dev68601=377575178.58432.0000; path=/; Httponly; Secure
< Strict-Transport-Security: max-age=63072000; includeSubDomains
< Connection: close
<
{ [data not shown]
* Closing connection 0

[gvenkatx]

After looking into this further, the issue seems to be http proxy settings. I did the following before executing the curl and it works as expected: export HTTP_PROXY=http://\<url>:\<port> export HTTPS_PROXY=http://\<url>:\<port>

How can I make sure that any containers created as part of the Strimzi deployment are created with these proxy settings?

[scholzj]

You can either set them in the Cluster Operator Deployment as en vars and it will pass them on. Or you can use the .spec.template section of the KafkaConnect CR to pass them just to a specific container.

[gvenkatx]

I was able to successfully execute the curl to the https external service from the kafka-connect pod after setting the proxy env vars in the .spec.template section. Unfortunately, I still see the following error when attempting to deploy the following source connector yaml. Any pointers are appreciated.

2020-12-01 00:17:49,408 INFO WorkerSourceTask{id=servicenow-source-connector-0} flushing 0 outstanding messages for offset commit (org.apache.kafka.connect.runtime.WorkerSourceTask) [pool-7-thread-4] 2020-12-01 00:17:49,408 ERROR WorkerSourceTask{id=servicenow-source-connector-0} Task threw an uncaught and unrecoverable exception (org.apache.kafka.connect.runtime.WorkerTask) [pool-7-thread-4] org.apache.kafka.common.config.ConfigException: https://dev68601.service-now.com/api/now/table/cmdb_ci_appl?sysparm_limit=1 is not reachable. Please check the endpoint or network connection at io.confluent.connect.servicenow.rest.ServiceNowClientImpl.checkConnectivity(ServiceNowClientImpl.java:135) at io.confluent.connect.servicenow.rest.ServiceNowClientImpl.(ServiceNowClientImpl.java:83) at io.confluent.connect.servicenow.rest.ServiceNowClientFactory.create(ServiceNowClientFactory.java:11) at io.confluent.connect.servicenow.ServiceNowSourceTask.createServiceNowClient(ServiceNowSourceTask.java:348) at io.confluent.connect.servicenow.ServiceNowSourceTask.start(ServiceNowSourceTask.java:109) at org.apache.kafka.connect.runtime.WorkerSourceTask.execute(WorkerSourceTask.java:198) at org.apache.kafka.connect.runtime.WorkerTask.doRun(WorkerTask.java:175) at org.apache.kafka.connect.runtime.WorkerTask.run(WorkerTask.java:219) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 2020-12-01 00:17:49,409 ERROR WorkerSourceTask{id=servicenow-source-connector-0} Task is being killed and will not recover until manually restarted (org.apache.kafka.connect.runtime.WorkerTask) [pool-7-thread-4] 2020-12-01 00:17:49,409 INFO [Producer clientId=producer-7] Closing the Kafka producer with timeoutMillis = 30000 ms. (org.apache.kafka.clients.producer.KafkaProducer) [pool-7-thread-4]

[scholzj]

I'm not sure how the connector expects the proxy configuration and whether it even supports it. AFAIK not every Java application consumes the HTTP(S)_PROXY env vars. But I have no experience with this particular connector. So this is probably something to ask the authors.

[gvenkatx]

Thank you for your support. I will pose this question on a Confluent forum.