confluent-kafka-dotnet icon indicating copy to clipboard operation
confluent-kafka-dotnet copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

Q&A: How to list the certificates in use for Windows.

Open uberDoward opened this issue 4 years ago • 7 comments

Description

I am unable to get kaka dotnet to use a certificate from the local machine Windows Certificate Store.

How to reproduce

Enable debug all in producer. Load certificate to be used in local machine MY store. Attempt to connect.

Checklist

Please provide the following information:

  • [ ] A complete (i.e. we can run it), minimal program demonstrating the problem. No need to supply a project file.
  • [1.6.3] Confluent.Kafka nuget version.
  • [ ] Apache Kafka version.
  • [ ] Client configuration.
  • [Windows] Operating system.
  • [ ] Provide logs (with "debug" : "..." as necessary in configuration).
  • [ ] Provide broker log excerpts.
  • [ ] Critical issue.

uberDoward avatar May 13 '21 13:05 uberDoward

The client uses the ROOT store by default, you can specify what stores to use with the SslCaCertificateStores config property

Comma-separated list of Windows Certificate stores to load CA certificates from. Certificates will be loaded in the same order as stores are specified. If no certificates can be loaded from any of the specified stores an error is logged and the OpenSSL library's default CA location is used instead. Store names are typically one or more of: MY, Root, Trust, CA.
Type: string

edenhill avatar May 14 '21 06:05 edenhill

Yes, I am using the My store. I can see that 8 certificates are loaded, from the [CERTSTORE] logs.

How do I tell Kafka which specific certificate to use?

uberDoward avatar May 14 '21 14:05 uberDoward

It'll use all loaded certs to verify the broker certificate.

edenhill avatar May 14 '21 17:05 edenhill

Understood. Will the broker's CA cert need to be in the same store?

Also, any idea why the local machine store is not checked? Appears to be user certificate store only...

uberDoward avatar May 14 '21 18:05 uberDoward

The dotnet client only uses the cert stores as CA certificates for verifying the broker certificate, nothing else.

edenhill avatar May 14 '21 18:05 edenhill

Interesting. If I set up as SslKeystoreLocation = "c:\path\to\cert.pfx" and supply the SslKeystorePassword (there is a password on the pfx), it works fine.

If I set SslCaCertificateStores = "My" and load the same cert to my user cert store, I get error:1408E0F4: SSL routines:ssl3_get_message: unexpected message: client SSL authentication might be required

Edit

This is with EnableSslCertificateVerification = false. If I set that to true, I get a different error stating broker certificate could not be verified.

uberDoward avatar May 14 '21 18:05 uberDoward

Have exactly the same problem with broker certificate could not be verified ;/ using the keystorelocation and cacert.

Coldplayer1995 avatar Feb 15 '22 10:02 Coldplayer1995