We are getting a SSL error sending to Kafka from Logstash. We generated a csr, which was signed by the Kafka's CA. Then we took the pub and private key and converted them to a pkcs12 format with openssl with something like this:
openssl pkcs12 -export -in cert-with-chain.pem -inkey cert.key -name "<name>" -out keystore.p12
Then we took the p12 file and created a JKS with this:
keytool -importkeystore -srckeystore src.keystore -srcstoretype pkcs12 -srcalias "<alias>" -destkeystore dest.keystore -deststoretype jks
For the truststore, we used the Root CA public key and imported it into a JKS as well. If anyone has any tips on where to look next, or how to troubleshoot this error, it would be greatly appreciated.
Here is the error message from our logstash log:
[2022-08-19T15:08:06,615][INFO ][org.apache.kafka.common.network.Selector] [Producer clientId=producer-1] Failed authentication with soc-queue-prod-02.it.vt.edu/198.82.161.168 (SSL handshake failed)
[2022-08-19T15:08:06,615][ERROR][org.apache.kafka.clients.NetworkClient] [Producer clientId=producer-1] Connection to node -2 (soc-queue-prod-02.it.vt.edu/198.82.161.168:9092) failed authentication due to: SSL handshake failed
[2022-08-19T15:08:06,615][WARN ][org.apache.kafka.clients.NetworkClient] [Producer clientId=producer-1] Bootstrap broker soc-queue-prod-02.it.vt.edu:9092 (id: -2 rack: null) disconnected
Here is our output plugin:
output {
if [module] =~ "zeek" and [dataset] =~ "conn" {
kafka {
id => "events_to_kafka"
bootstrap_servers => "soc-queue-prod-01.it.vt.edu:9092,soc-queue-prod-02.it.vt.edu:9092,soc-queue-prod-03.it.vt.edu:9092,soc-queue-prod-04.it.vt.edu:9092,soc-queue-prod-05.it.vt.edu:9092,soc-queue-prod-06.it.vt.edu:9092,soc-queue-prod-07.it.vt.edu:9092,soc-queue-prod-08.it.vt.edu:9092,soc-queue-prod-09.it.vt.edu:9092"
topic_id => "soc-queue-itso"
codec => "json"
security_protocol => "SSL"
ssl_keystore_location => "/usr/share/logstash/data/cliffbar.iso.vt.edu.jks"
ssl_keystore_password => "password"
ssl_truststore_location => "/usr/share/logstash/data/LAAca.jks"
#ssl_truststore_location => "/opt/logstash/certs/LAAca.jks"
ssl_truststore_password => "password"
retries => 0
ssl_endpoint_identification_algorithm => ""
}
}
}