fede1024
Failed to retrieve OIDC token from Let's Encrypt https endpoint
Hey, I don't fully know if this is correct here or if it should be in the librdkafka.
We wand to connect to a Kafka that is protected by https://github.com/strimzi/strimzi-kafka-oauth
This is the setup within the configuration:
config.set("sasl.mechanisms", "OAUTHBEARER");
config.set("sasl.oauthbearer.method", auth_config.method.to_string());
config.set("sasl.oauthbearer.client.id", auth_config.client_id.to_string());
config.set("sasl.oauthbearer.client.secret", auth_config.client_secret.to_string());
config.set("sasl.oauthbearer.token.endpoint.url", auth_config.token_endpoint_url.to_string());
config.set("enable.ssl.certificate.verification", "false");
My System uses Ubuntu 22.04
Cargo.toml is:
rdkafka = { version = "0.36.2", features = ["curl", "ssl", "gssapi", "cmake-build"] }
The Error that i get on runtime is:
Failed to retrieve OIDC token from "https://accounts.varta-ag.com/realms/varta-dev/protocol/openid-connect/token": SSL certificate problem: unable to get local issuer certificate (-1)
I thing this has to do with curl not knowing the CA Let's Encrypt certificate. But I am not fully sure. I tried setting different env Variables to configure the curl setup. I also loaded the lets encrypt cert and ca into my /etc/ssl/certs/ folder.
I found this issue but i think that is the setup against the Broker not against the token endpoint. https://github.com/confluentinc/librdkafka/issues/1814
I also found this stackoverflow where the error fits but i can not adapt any solution to rust: https://stackoverflow.com/questions/24611640/curl-60-ssl-certificate-problem-unable-to-get-local-issuer-certificate?page=2&tab=scoredesc#tab-top
So I figured it out.
This was just a linking Problem with cmake libcurl and OpenSSL. I use "dynamic-linking" now and installed librdkafka from confluentic.
With every other configuration I got:
(Client config error: Configuration property "sasl.oauthbearer.method" not supported in this build: OAuth/OIDC depends on libcurl and OpenSSL which were not available at build time sasl.oauthbearer.method oidc)
On my side this Issue can be closed unless @fede1024 wants to investigate this problem and needs help.
Facing the same issue, but I wish to statically bind the librdkafka, any pointers?
I am using these features
rdkafka = { version = "0.38.0", features = ["cmake-build", "curl-static", "libz-static", "ssl-vendored", "sasl", "gssapi-vendored"] }
But fails with
{ message: "Client config error: Configuration property \"sasl.oauthbearer.token.endpoint.url\" not supported in this build: OAuth/OIDC depends on libcurl and OpenSSL which were not available at build time sasl.oauthbearer.token.endpoint.url <endpoint_url>" }
The fix to support CA certs for http requests was added 4 months back , which allows to set the ca cert via https.ca.location or https.ca.pem. Unfortunately the current commit tagged for the submodule does not have these changes :(
BTW the issue of Oauth config not supported was fixed by adding relevant feature flags , along side static compilation feature flags
rdkafka = { version = "0.38.0", features = ["cmake-build", "curl", "curl-static", "libz", "libz-static", "ssl", "ssl-vendored", "sasl", "gssapi", "gssapi-vendored"] }
