strimzi-kafka-operator: [Question] ... No CA found. error while creating kafka cluster with ingress and own CA certificate

I have used my own CA certificate to configure the kafka with ingress.

After spinning up the cluster the pods are going to “CrashLoopBackOff” with below error.

Detected Zookeeper ID 1
Preparing truststore
Adding /opt/kafka/cluster-ca-certs/ca.crt to truststore /tmp/zookeeper/cluster.truststore.p12 with alias ca
Certificate was added to keystore
Preparing truststore is complete
Looking for the right CA
No CA found. Thus exiting.

I have created the cluster-ca-cert secret with file having certificates and cluster-ca secret with key file. The certificates are in below order

CA certificate
Intermediate certificate
Root CA certificate

Please guide me here on setting up ingress with own CA certificate.

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 1
Comments: 27 (11 by maintainers)

Most upvoted comments

@sigma-libra You cannot scale the operands like that. You have to change the number of replicas in the Kafka custom resource.

scholzj on Mar 16, 2022

@tusharbhasme You are not really expected to move from Strimzi CA to custom CA in the middle (at least in a sense that there are no tests covering this etc.). That can definitely cause issues. And in general, if you use Strimzi 0.8, there have been a lot of bugfixes and improvements since.

scholzj on Dec 2, 2020

Hello, I am experiencing a similar issue with strimzi 0.20

I am trying to setup TLS for an external listener. I installed my own certificate by following this section of the documentation.

When creating the new Kafka cluster, I specified the following option: generateCertificateAuthority: false

Here’s the yaml used for creating the kafka cluster:

apiVersion: kafka.strimzi.io/v1beta1
kind: Kafka
metadata:
  name: my-cluster-tls
spec:
  clusterCa:
    generateCertificateAuthority: false
  kafka:
    replicas: 1
    listeners:
      internal:
        port: 9093
        type: internal
        tls: false
      external:
        port: 9094
        type: nodeport
        tls: true
        overrides:
          bootstrap:
            nodePort: 32200
    storage:
      type: ephemeral
    config:
      offsets.topic.replication.factor: 1
      transaction.state.log.replication.factor: 1
      transaction.state.log.min.isr: 1
  zookeeper:
    replicas: 1
    storage:
      type: ephemeral
  entityOperator:
    topicOperator: {}
    userOperator: {}

After applying this yaml file, a new zookeeper pod is created but crashes immediatly. This is the log of the zookeeper container:

Detected Zookeeper ID 1
Preparing truststore
Adding /opt/kafka/cluster-ca-certs/ca.crt to truststore /tmp/zookeeper/cluster.truststore.p12 with alias ca
Certificate was added to keystore
Preparing truststore is complete
Looking for the right CA
No CA found. Thus exiting.

I checked the code that throws this error.

The error comes from this function:

function find_ca {
    for ca in "$1"/*; do
        if openssl verify -CAfile "$ca" "$2" &> /dev/null; then
            echo "$ca"
        fi
    done
}

It seems that the code checks whether there is a chain between a certificate contained in the folder “/opt/kafka/cluster-ca-certs” and the certificate “/opt/kafka/zookeeper-node-certs/$HOSTNAME.crt”

The folder “/opt/kafka/cluster-ca-certs” is a mount point of the secret “my-cluster-tls-clients-ca-cert”, which contains the certificate I manually installed. However, the certificate “/opt/kafka/zookeeper-node-certs/$HOSTNAME.crt” is from the secret “my-cluster-tls-zookeeper-nodes”, which has been generated automatically by the strimzi operator. These certificates can not be part of the same chain. That would explain why the openssl verify never succeeds. I have already checked inside the container, the certificates files are present and match the certificates contained in the associated secrets.

Dryr on Nov 26, 2020