zookeeper ssl alert "alert bad certificate"

John Mark

12/14/22, 9:15 PM

I am using Kafka (version 2.3.0) and Zookeeper (version 3.5.5-3) - the stable version is 3.6.3.

When I test the SSL of my Zookeeper using this command:

openssl s_client -showcerts -connect 127.0.0.1:2280 -CAfile /certs/ca-chain.cert.pem

and I am getting this error:

140371409225024:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1543:SSL alert number 42

But if I will install Zookeeper version 3.5.7 and up and I can add this in my zoo.cnf or zookeeper.properties:

ssl.clientAuth=want and I no longer see any SSL errors.

Any tips/suggestions on how to fix this SSL error without upgrading (I don't want to update at the moment to avoid other conflicts like Kafka Cruise Control and others).

Thanks in advance!

281

1 + 0

ssl

zookeeper

kafka

Score:0

Server

Steffen Ullrich

12/14/22, 9:34 PM

Zookeeper until version 3.5.7 expects mutial TLS, i.e. that the client authenticates itself with its own certicate. Only starting with 3.5.7 it can make client certificates optional ("want") or not even requested ("none"). This means the only way for older versions is to actually have client certificates, i.e. the -cert and -key options for openssl s_client.

0 + 2

John Mark

12/16/22, 11:44 PM

Thanks for your help. So I used this `openssl s_client -showcerts -connect 55.55.55.55:2280 -CAfile /certs/ca-chain.cert.pem -cert /root/ca/intermediate/certs/intermediate.cert.pem -key /root/ca/intermediate/private/intermediate.key.pem` and it works just fine. But how can I use -cert and -key to connect my Kafka server to Zookeeper?

Steffen Ullrich

12/17/22, 3:59 AM

@JohnMark: I'm not familiar with Kafka configuration but from [quick search](https://www.google.com/search?q=kafka+zookeeper+configuration+client+certificate) it basically looks like putting the client certificates and key into the keystore and let Kafka use it. The instructions are probably easier to understand for someone who is already familiar with Kafka and Zookeeper.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: zookeeper ssl alert "alert bad certificate"

TH: การแจ้งเตือน Zookeeper ssl "การแจ้งเตือนใบรับรองไม่ถูกต้อง"

RO: zookeeper ssl alert "alert bad certificat"

RU: Предупреждение zookeeper ssl «предупреждение о плохом сертификате»

VI: cảnh báo ssl của người quản lý vườn thú "cảnh báo chứng chỉ xấu"

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.