AKHQ SSL Issue on Openshift #893

jains20171 · 2021-10-29T14:13:39Z

jains20171
Oct 29, 2021

Hi,

I am running AKHQ using a docker image that I built on Openshift 4.7 using AKHQ Jar (Rel.0.18.0). I am connecting to my kafka cluster using SSL certificate generated by Strimzi on Openshift. The application comes up and shows the Kafka topics etc. After some time i am getting SSL handshake errors from the admin client and the application becomes inoperational. Below is my configuration and the error message. Also attaching one full
akhq-log-latest.txt
log from startup. Any help to resolve this is appreciated.

Config:

logger:
  levels:
    root: DEBUG

micronaut:
 server:
   context-path: /akhq

 security:
   enabled:false  
akhq:
  security:
    default-group: reader 
  connections:
    dev:
      properties:
        bootstrap.servers: secure-esp-dev-cluster-kafka-tls-bootstrap-strimzi-dev.apps.cbercss.preprod.fda.gov:443
        security.protocol: SASL_SSL
        ssl.truststore.location: /tmp/cluster-jks-certs/ca.jks
        ssl.truststore.password: <some pswd>
        ssl.truststore.type: JKS
        ssl.endpoint.identification.algorithm: ""
        sasl.mechanism: SCRAM-SHA-512
        sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="userid" password="pswd";
        adminclient.security.protocol: SASL_SSL

Error:

2021-10-29 04:21:11,746 �[39mDEBUG�[0;39m �[35m-thread-44�[0;39m �[36morg.akhq.utils.Logger     �[0;39m 0 ms -> Get nodes
2021-10-29 04:21:11,746 �[39mDEBUG�[0;39m �[35m-thread-44�[0;39m �[36morg.akhq.utils.Logger     �[0;39m 0 ms -> Get contoller
2021-10-29 04:21:11,770 �[1;31mERROR�[0;39m �[35minclient-1�[0;39m �[36mo.a.k.c.NetworkClient     �[0;39m [AdminClient clientId=adminclient-1] Connection to node 1 (secure-esp-dev-cluster-kafka-tls-1-strimzi-dev.apps.cbercss.preprod.fda.gov/10.173.28.68:443) failed authentication due to: SSL handshake failed
2021-10-29 04:21:11,770 �[31mWARN �[0;39m �[35minclient-1�[0;39m �[36mc.a.i.AdminMetadataManager�[0;39m [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999)
	at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:430)
	at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:514)
	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:368)
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:291)
	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178)
	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543)
	at org.apache.kafka.common.network.Selector.poll(Selector.java:481)
	at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:561)
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1333)
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1264)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290)
	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307)
	... 19 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
	... 25 common frames omitted
2021-10-29 04:21:11,772 �[31mWARN �[0;39m �[35m-thread-44�[0;39m �[36morg.akhq.log.access       �[0;39m [Date: 2021-10-29T04:21:11.551706Z] [Duration: 220 ms] [Url: GET /akhq/api/dev/topic] [Status: 500] [Ip: /127.0.0.1] [User: -]
2021-10-29 04:21:11,772 �[39mDEBUG�[0;39m �[35m-thread-44�[0;39m �[36m.s.n.RoutingInBoundHandler�[0;39m Found matching exception handler for exception [Error for List Log dir]:  Throwable -> ErrorController#HttpResponse error(HttpRequest request,Throwable e)
2021-10-29 04:21:11,772 �[1;31mERROR�[0;39m �[35mpGroup-1-3�[0;39m �[36mo.a.c.ErrorController     �[0;39m Error for List Log dir
java.lang.RuntimeException: Error for List Log dir
	at org.akhq.utils.Logger.call(Logger.java:31)
	at org.akhq.modules.AbstractKafkaWrapper.describeLogDir(AbstractKafkaWrapper.java:246)
	at org.akhq.modules.$KafkaWrapperRequestScopeDefinition$$exec12.invokeInternal(Unknown Source)
	at io.micronaut.context.AbstractExecutableMethod.invoke(AbstractExecutableMethod.java:151)
	at io.micronaut.aop.chain.MethodInterceptorChain.proceed(MethodInterceptorChain.java:87)
	at org.akhq.modules.$KafkaWrapperRequestScopeDefinition$Intercepted.describeLogDir(Unknown Source)
	at org.akhq.repositories.LogDirRepository.list(LogDirRepository.java:24)
	at org.akhq.repositories.LogDirRepository.findByTopic(LogDirRepository.java:36)
	at org.akhq.repositories.TopicRepository.findByName(TopicRepository.java:118)
	at org.akhq.repositories.TopicRepository.lambda$list$0(TopicRepository.java:62)
	at org.akhq.utils.PagedList.of(PagedList.java:70)
	at org.akhq.repositories.TopicRepository.list(TopicRepository.java:62)
	at org.akhq.controllers.TopicController.list(TopicController.java:81)
	at org.akhq.controllers.$TopicControllerDefinition$$exec1.invokeInternal(Unknown Source)
	at io.micronaut.context.AbstractExecutableMethod.invoke(AbstractExecutableMethod.java:151)
	at io.micronaut.context.DefaultBeanContext$4.invoke(DefaultBeanContext.java:482)
	at io.micronaut.web.router.AbstractRouteMatch.execute(AbstractRouteMatch.java:303)
	at io.micronaut.web.router.RouteMatch.execute(RouteMatch.java:121)
	at io.micronaut.http.server.netty.RoutingInBoundHandler.emitRouteResponse(RoutingInBoundHandler.java:1533)
	at io.micronaut.http.server.netty.RoutingInBoundHandler.access$2100(RoutingInBoundHandler.java:151)
	at io.micronaut.http.server.netty.RoutingInBoundHandler$6$1.request(RoutingInBoundHandler.java:1500)
	at io.micronaut.http.server.netty.async.ContextCompletionAwareSubscriber.doOnSubscribe(ContextCompletionAwareSubscriber.java:49)
	at io.micronaut.core.async.subscriber.CompletionAwareSubscriber.onSubscribe(CompletionAwareSubscriber.java:38)
	at io.micronaut.configuration.metrics.binder.web.WebMetricsPublisher$1.onSubscribe(WebMetricsPublisher.java:162)
	at org.akhq.middlewares.HttpServerAccessLogFilter$HttpServerPublisher$1.onSubscribe(HttpServerAccessLogFilter.java:133)
	at io.micronaut.http.server.netty.RoutingInBoundHandler$6.doSubscribe(RoutingInBoundHandler.java:1488)
	at io.micronaut.http.server.netty.RoutingInBoundHandler$6.lambda$subscribe$0(RoutingInBoundHandler.java:1482)
	at io.micrometer.core.instrument.composite.CompositeTimer.record(CompositeTimer.java:79)
	at io.micrometer.core.instrument.Timer.lambda$wrap$0(Timer.java:157)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999)
	at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:430)
	at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:514)
	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:368)
	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:291)
	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178)
	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543)
	at org.apache.kafka.common.network.Selector.poll(Selector.java:481)
	at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:561)
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1333)
	at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1264)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290)
	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307)
	... 19 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
	... 25 common frames omitted

Answered by tchiotludo

Oct 29, 2021

Ok seems to be a valid jks.
One thing I didn't mention, you don't provide client in the configuration :

akhq:
  connections:
    ssl-dev:
      properties:
        bootstrap.servers: "{{host}}.aivencloud.com:12835"
        security.protocol: SSL
        ssl.truststore.location: {{path}}/avnadmin.truststore.jks
        ssl.truststore.password: {{password}}
        ssl.keystore.type: "PKCS12"
        ssl.keystore.location: {{path}}/avnadmin.keystore.p12
        ssl.keystore.password: {{password}}
        ssl.key.password: {{password}}

I'm not an expert of kafka ssl, but I never see a connection without ssl.keystore.type ?

View full answer

jains20171 · 2021-10-29T14:56:40Z

jains20171
Oct 29, 2021
Author

forgot to mention we are on java 11 and Strimzi 0.25 and kafka 2.8

0 replies

tchiotludo · 2021-10-29T15:36:12Z

tchiotludo
Oct 29, 2021
Maintainer

not really sure, but as I understand the stacktrace, the jks is not valid for this hostname :

unable to find valid certification path to requested target

Some command to understand the issue :

keytool -printcert -v -file mydomain.crt
keytool -list -v -keystore keystore.jks
keytool -list -v -keystore cacerts.jks

0 replies

jains20171 · 2021-10-29T16:07:38Z

jains20171
Oct 29, 2021
Author

I had to convert the PKCS12 certificate(generated by Strimzi) to JKS because the application gave me an error with PKCS12 certificate type. I can send you that message if needed.

Here is output of commands you mentioned.

1.

keytool -printcert -v -file ca.crt
Owner: CN=cluster-ca v0, O=io.strimzi
Issuer: CN=cluster-ca v0, O=io.strimzi
Serial number: 3825a921c9acd085509cba5dd2b9a56020c7c058
Valid from: Thu Oct 14 18:05:47 EDT 2021 until: Fri Oct 14 18:05:47 EDT 2022
Certificate fingerprints:
         SHA1: 28:4D:C7:D5:B1:C2:7A:CF:B3:DA:AE:20:4E:7C:1F:00:91:0D:5E:C8
         SHA256: B7:10:CF:BE:E8:4F:B2:8B:1D:8C:37:27:17:C7:A3:17:DD:AE:E7:51:7B:29:7D:E2:66:91:CE:BF:96:78:27:1A
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4D CB 44 2B 62 F8 9E 99   B2 44 C6 42 76 D0 7E 04  M.D+b....D.Bv...
0010: 01 FC 6E CD                                        ..n.
]
]

2.

keytool -list -v -keystore ca.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: ca
Creation date: Oct 28, 2021
Entry type: trustedCertEntry

Owner: CN=cluster-ca v0, O=io.strimzi
Issuer: CN=cluster-ca v0, O=io.strimzi
Serial number: 3825a921c9acd085509cba5dd2b9a56020c7c058
Valid from: Thu Oct 14 18:05:47 EDT 2021 until: Fri Oct 14 18:05:47 EDT 2022
Certificate fingerprints:
         SHA1: 28:4D:C7:D5:B1:C2:7A:CF:B3:DA:AE:20:4E:7C:1F:00:91:0D:5E:C8
         SHA256: B7:10:CF:BE:E8:4F:B2:8B:1D:8C:37:27:17:C7:A3:17:DD:AE:E7:51:7B:29:7D:E2:66:91:CE:BF:96:78:27:1A
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4D CB 44 2B 62 F8 9E 99   B2 44 C6 42 76 D0 7E 04  M.D+b....D.Bv...
0010: 01 FC 6E CD                                        ..n.
]
]

3
Unable to process this command on server due to access issue

Let me know if you need more information. Thanks for your help

0 replies

tchiotludo · 2021-10-29T19:33:25Z

tchiotludo
Oct 29, 2021
Maintainer

Ok seems to be a valid jks.
One thing I didn't mention, you don't provide client in the configuration :

akhq:
  connections:
    ssl-dev:
      properties:
        bootstrap.servers: "{{host}}.aivencloud.com:12835"
        security.protocol: SSL
        ssl.truststore.location: {{path}}/avnadmin.truststore.jks
        ssl.truststore.password: {{password}}
        ssl.keystore.type: "PKCS12"
        ssl.keystore.location: {{path}}/avnadmin.keystore.p12
        ssl.keystore.password: {{password}}
        ssl.key.password: {{password}}

I'm not an expert of kafka ssl, but I never see a connection without ssl.keystore.type ?

0 replies

jains20171 · 2021-10-29T19:44:17Z

jains20171
Oct 29, 2021
Author

Thanks for your feedback. keystore is required if you are doing two way TLS authentication. For us it is important that the traffic in flight is encrypted, which truststore SSL is doing for us. At this time I believe I will just add my SSL certificate to the java cacerts store and hopefully the error will go away. I will keep you posted

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AKHQ SSL Issue on Openshift #893

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 5 comments

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

AKHQ SSL Issue on Openshift #893

jains20171 Oct 29, 2021

Replies: 5 comments

jains20171 Oct 29, 2021 Author

tchiotludo Oct 29, 2021 Maintainer

jains20171 Oct 29, 2021 Author

tchiotludo Oct 29, 2021 Maintainer

jains20171 Oct 29, 2021 Author

jains20171
Oct 29, 2021

jains20171
Oct 29, 2021
Author

tchiotludo
Oct 29, 2021
Maintainer

jains20171
Oct 29, 2021
Author

tchiotludo
Oct 29, 2021
Maintainer

jains20171
Oct 29, 2021
Author