Intermediate CA communiation is not working between kafka and kafka-topic-manager/applications #99
Description
Configuration: kafka - kafka-topic-manager (MTLS enabled)
When we are trying to communicate between kafka and kafka-topic-mager we are using internal and third party CA certificates. when we are trying to connect using a certificate path with multiple CA's communication is breaking between kafka and applications.
Example1: certificate is signed with CA - we didn't find any issue (No intermediate CA)
certificate chain : certificate -> internal CA
------------------------------------------------------SSL handshake completed successfully with peerHost---------------------------------
Nov 5 15:59:49 localhost kafka[128794]: [2024-11-05 13:59:49,380] DEBUG Accepted connection from /172.17.0.1:37520 on /172.17.0.18:9092 and assigned it to processor 1, sendBufferSize [actual|requested]: [102400|102400] recvBufferSize [actual|requested]: [102400|102400] (kafka.network.DataPlaneAcceptor)
Nov 5 15:59:49 localhost kafka[128794]: [2024-11-05 13:59:49,380] DEBUG Processor 1 listening to new connection from /172.17.0.1:37520 (kafka.network.Processor)
Nov 5 15:59:49 localhost kafka[128794]: [2024-11-05 13:59:49,401] DEBUG [SslTransportLayer channelId=172.17.0.18:9092-172.17.0.1:37520-15 key=channel=java.nio.channels.SocketChannel[connected local=/172.17.0.18:9092 remote=/172.17.0.1:37520], selector=sun.nio.ch.EPollSelectorImpl@12a58e5e, interestOps=1, readyOps=0] SSL handshake completed successfully with peerHost '172.17.0.1' peerPort 37520 peerPrincipal 'CN=kafka-topic-manager-localhost' protocol 'TLSv1.3' cipherSuite 'TLS_AES_128_GCM_SHA256' (org.apache.kafka.common.network.SslTransportLayer)
Example2: certificate is signed with internal CA signed by thirdparty CA - hadshek is failing (With intermediate CA)
certificate chain : certificate -> internal CA -> thirdparty CA
---------------------------------------------------------SSLHandshake NEED_UNWRAP channelId-----------------------------------------
Nov 5 16:38:21 localhost kafka[1332937]: [2024-11-05 14:38:21,370] DEBUG Processor 1 listening to new connection from /172.17.0.1:45242 (kafka.network.Processor)
Nov 5 16:38:21 localhost kafka[1332937]: [2024-11-05 14:38:21,370] DEBUG Accepted connection from /172.17.0.1:45242 on /172.17.0.141:9092 and assigned it to processor 1, sendBufferSize [actual|requested]: [102400|102400] recvBufferSize [actual|requested]: [102400|102400] (kafka.network.DataPlaneAcceptor)
Nov 5 16:38:21 localhost kafka[1332937]: [2024-11-05 14:38:21,370] TRACE [SslTransportLayer channelId=172.17.0.141:9092-172.17.0.1:45242-825 key=channel=java.nio.channels.SocketChannel[connected local=/172.17.0.141:9092 remote=/172.17.0.1:45242], selector=sun.nio.ch.EPollSelectorImpl@39027b65, interestOps=1, readyOps=0] SSLHandshake NEED_UNWRAP channelId 172.17.0.141:9092-172.17.0.1:45242-825, appReadBuffer pos 0, netReadBuffer pos 0, netWriteBuffer pos 0 (org.apache.kafka.common.network.SslTransportLayer)