php-rdkafka: Can't connect to broker with SSL_SASL

  • PHP version: 7.3
  • librdkafka version: 0.9.3
  • php-rdkfaka version: 3.1.0-dev
  • OS used: Debian 9

I can’t seem to connect to remote kafka broker when using ssl_sasl. Whenever I try I get this: "…/ssl/ssl_rsa.c:615: error:140DC002:SSL routines:use_certificate_chain_file:system lib: "

My config:

    'kafka' => [
        'common' => [
            'metadata.broker.list' => 'my.nice.broker.com:9095',
//            'bootstrap.servers' => ['my.nice.broker.com:9095'],
            'group.id' => 'GroupId',
            'security.protocol' => 'SASL_SSL',
            'sasl.mechanisms' => "SCRAM-SHA-256",
            'ssl.key.location' => __DIR__ . '/Certificates/client.key',
            'ssl.certificate.location' =>  __DIR__ . '/Certificates/client.cer.pem',
            'ssl.ca.location' =>__DIR__ . '/Certificates/',
            'ssl.key.password' => 'herebedragons',
            'sasl.password' => 'test1',
            'sasl.username' => 'test1',
        ],    
    ],

Certificate is self-signed, was extracted from JKS file.

Thinking it is a wrong config I tried removing ssl.key.location and ssl.certificate.location. It somewhat worked in a sense that I don’t get an exception, but I’m still unable to draw messages in (consume returns null while there should be messages on the other side). rd_kafka_errno() returns me error 115 which I couldn’t get much info on. And consumeStop function seem to be hanging php for good.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 16 (1 by maintainers)

Most upvoted comments

@nick-zh oh, I forgot about it!

'kafka' => [
        'common' => [
            'metadata.broker.list' => 'my.nice.server:9095',
            'group.id' => 'groupid',
            'security.protocol' => 'SASL_SSL',
            'sasl.mechanisms' => "SCRAM-SHA-256",
            'ssl.certificate.location' =>  __DIR__ . '/Certificates/all/client.cer.pem',
            'ssl.ca.location' => __DIR__ . '/Certificates/all/client.cer.pem',
            'ssl.key.password' => 'keystoragepassword',
            'sasl.password' => 'saslpassword',
            'sasl.username' => 'sasllogin',
        ],   
]

Key part is:

'ssl.certificate.location' =>  __DIR__ . '/Certificates/all/client.cer.pem',
'ssl.ca.location' => __DIR__ . '/Certificates/all/client.cer.pem',

We’re using self-signed certificate (extracted from jks storage) for our test machine.

thanks @ledocool for the quick answer! I have the KeyStore explorer and I can explore both .p12 certificates. Do you know exactly what pem certificates do I need to extract from the p12?

Based on your old previous comment:

  • ssl.ca.location certificate from keystore.p12?
  • ssl.key.location certificate from keystore.p12?
  • ssl.keystore.location certificate from truststore.p12?

Is that right?

More likely ca is in the truststore, while pem and key are in the keystore, tho. But its just a hunch.

@ledocool

KeyStore actually helped me. I found the issue by analyzing the truststore.jks. It did not contain certs for several of the brokers listed in the documentation, thus the failure.

Thanks for your help and the quick reply. Cheers.

@nick-zh yes, fiddling with certificates helped. I’m posting my configuration later because I think this may be of help to someone.