sarama icon indicating copy to clipboard operation
sarama copied to clipboard
verified publisher icon IBM

Sarama can't be used with DSA keys for SSL

Open bradurani opened this issue 5 years ago • 3 comments

Versions

Sarama: 1.26.4 Kafka: 2.4.1 Go: 1.14.3

Configuration

What configuration values are you using for Sarama and Kafka? I'm using Burrow, which has the following configuration:

[tls.tlsonly]
certfile="/certs/kafka_client.crt"
keyfile="/certs/kafka_client.crt.key"
cafile="/certs/kafka_trusted.crt"
noverify=true

My keys are valid DSA keys in PEM format. I've also tried noverify=false.

Logs
{"level":"panic","ts":1599859116.2910147,"msg":"cannot read TLS certificate or key file: tls: failed to parse private key"}                                            
panic: cannot read TLS certificate or key file: tls: failed to parse private key [recovered]                                                                           
        panic: cannot read TLS certificate or key file: tls: failed to parse private key [recovered]                                                                   
        panic: cannot read TLS certificate or key file: tls: failed to parse private key                                                                               

goroutine 1 [running]:
main.handleExit()
        /usr/src/Burrow/main.go:64 +0x1fc
panic(0xc112c0, 0xc00035a370)
        /usr/local/go/src/runtime/panic.go:969 +0x166
go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc0001b6000, 0x0, 0x0, 0x0)
        /go/pkg/mod/go.uber.org/[email protected]/zapcore/entry.go:230 +0x545
go.uber.org/zap.(*Logger).Panic(0xc000182240, 0xc0003365a0, 0x49, 0x0, 0x0, 0x0)
        /go/pkg/mod/go.uber.org/[email protected]/logger.go:225 +0x7f
github.com/linkedin/Burrow/core.configureCoordinators.func1(0xc000182060)
        /usr/src/Burrow/core/burrow.go:97 +0x7d
panic(0xc112c0, 0xc00035a360)
        /usr/local/go/src/runtime/panic.go:969 +0x166
github.com/linkedin/Burrow/core/internal/helpers.GetSaramaConfigFromClientProfile(0xc0002ce8a0, 0xb, 0x1c)                                                             
        /usr/src/Burrow/core/internal/helpers/sarama.go:114 +0xf29
github.com/linkedin/Burrow/core/internal/cluster.(*KafkaCluster).Configure(0xc0001b8580, 0xc0002cf150, 0x5, 0xc0001a0653, 0xd)                                         
        /usr/src/Burrow/core/internal/cluster/kafka_cluster.go:63 +0x133
github.com/linkedin/Burrow/core/internal/cluster.(*Coordinator).Configure(0xc000198300)                                                                                
        /usr/src/Burrow/core/internal/cluster/coordinator.go:83 +0x222
github.com/linkedin/Burrow/core.configureCoordinators(0xc000182060, 0xf29960, 0xc0001b40c0, 0xf29920, 0xc00019a3f0, 0xf296e0, 0xc000198280, 0xf297e0, 0xc00019a4e0, 0xf29820, ...)
        /usr/src/Burrow/core/burrow.go:104 +0xb3
github.com/linkedin/Burrow/core.Start(0xc000182060, 0xc00012b6e0, 0x0)
        /usr/src/Burrow/core/burrow.go:152 +0x402
main.main()
        /usr/src/Burrow/main.go:115 +0x690
Problem Description

It appears that Sarama is using crypto/tls and that may not support DSA key. The error "cannot read TLS certificate or key file: tls: failed to parse private key" is coming from the file https://golang.org/src/crypto/tls/tls.go in the function parsePrivateKey. Does that mean Samara can't use DSA certs as long as it uses crypto/tls? I can't find any example of using DSA certs for Samara anywhere. Is there a workaround? Thanks!

bradurani avatar Sep 11 '20 21:09 bradurani

Thank you for taking the time to raise this issue. However, it has not had any activity on it in the past 90 days and will be closed in 30 days if no updates occur. Please check if the master branch has already resolved the issue since it was raised. If you believe the issue is still valid and you would like input from the maintainers then please comment to ask for it to be reviewed.

ghost avatar Mar 16 '21 22:03 ghost

I can provide another data point that sarama does not support DSA keys. I've tried configuring KEDA, which uses sarama, to do autoscaling based on Kafka consumer lag, but we're running into this same exact error.

mattmahn avatar Jun 08 '22 21:06 mattmahn

The Go team decided long ago not to support DSA in crypto/tls under the wontfix of https://github.com/golang/go/issues/6868

There’s just some legacy support for it in the ssh package. I’m afraid your only option would be to migrate to a more modern key format

dnwe avatar Jun 08 '22 22:06 dnwe

Thank you for taking the time to raise this issue. However, it has not had any activity on it in the past 90 days and will be closed in 30 days if no updates occur. Please check if the main branch has already resolved the issue since it was raised. If you believe the issue is still valid and you would like input from the maintainers then please comment to ask for it to be reviewed.

github-actions[bot] avatar Nov 23 '23 02:11 github-actions[bot]