TLS Certificat problem with Kafka using kafka-go


(Goku736 ) #1

Hello everyone,

I need a TLS connection with my client by using truststore and keystore. My stores are in P12 format. My Keystore has only one private and one public key. My Truststore has only a cluster certificate.

My problem is, that I don’t get a connection to my ssl-Kafka. From the Kafka logs I see a handshake fail

Below is my code. Maybe there is a config problem? Does anyone know how I can print the error? Or maybe where is the error with my config? I use kafka-go for the communication.

getKafkaReader(topic string) *kafka.Reader {

    if consumer == nil {
        consumer = kafka.NewReader(kafka.ReaderConfig{
            Brokers:     []string{kafkaConfig.Host},
            GroupID:     os.Getenv("KAFKA_CONSUMER_GROUP"),
            Topic:       topic,
            Partition:   0,
            MinBytes:    10e2, // 1KB
            MaxBytes:    10e5, // 1MB
            Dialer:      getDialer(),
        })
    }
    return consumer
}

func getDialer() *kafka.Dialer {

    dialer := &kafka.Dialer{
        Timeout:   5 * time.Second,
        DualStack: true,
        TLS:       tlsConfig(),
    }

    return dialer
}

func tlsConfig() *tls.Config {

    // Keystore
    keys, _ := ioutil.ReadFile(kafkaConfig.KeyStoreLocation)
    blocks, err := p12.ToPEM(keys, kafkaConfig.KeyStorePassword)
    if err != nil {
        log.Fatal(err.Error())
    }

    var pemData []byte
    for test, b := range blocks {
        _ = test
        pemData = append(pemData, pem.EncodeToMemory(b)...)
    }

    cert, err := tls.X509KeyPair(pemData, pemData)
    if err != nil {
        log.Fatal(err.Error())
    }
   //Truststore
    caCert, err := ioutil.ReadFile("./certificates/ca.pem")
    if err != nil {
        log.Fatal(err)
    }

    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(caCert)

    config := &tls.Config{
        Certificates: []tls.Certificate{cert},
        RootCAs:      caCertPool,
    }
    return config
}


(Goku736 ) #2

I noticed that i have selfsigned certificates. I needed

tlsConfig.InsecureSkipVerify = true