SASL Config works for a little then throws certificate errors for only the AdminClient - Githubissues

tchiotludo / akhq

Kafka GUI for Apache Kafka to manage topics, topics data, consumers group, schema registry, connect and more...

https://akhq.io/

Apache License 2.0

3.41k stars 659 forks source link

SASL Config works for a little then throws certificate errors for only the AdminClient #1014

Open apatel0708 opened 2 years ago

apatel0708 commented 2 years ago

When AKHQ starts up, it works fine for about 15-45 mins (varies). Then it starts to throw the following.

2022-02-04 23:37:50,939 [31mWARN [0;39m [35minclient-1[0;39m [36mc.a.i.AdminMetadataManager[0;39m [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Below is our AKHQ settings.

logger:
  levels:
    root: DEBUG
    javax.net.ssl: DEBUG

micronaut:
  server:
   context-path: /akhq

  security:
   enabled:false  
akhq:
  security:
    default-group: reader 
  connections:
    dev:
      properties:
        bootstrap.servers: ${KAFKA_BROKER}
        security.protocol: SASL_SSL
        ssl.truststore.location: ${CLUSTER_CA}
        ssl.keystore.location: ${CLIENT_CA}
        ssl.truststore.password: ${CLUSTER_PW}
        ssl.keystore.password: ${CLIENT_PW}
        ssl.truststore.type: JKS
        ssl.keystore.type: JKS
        ssl.endpoint.identification.algorithm: ""
        enable.ssl.certificate.verification: false
        sasl.mechanism: SCRAM-SHA-512
        sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="${USERNAME}" password="${USER_PASS}";

tchiotludo commented 2 years ago

The error seems to said that your trustore don't contain the expected hostname.