provectus
SunCertPathBuilderException when viewing topic detailed view running docker-compose
Issue submitter TODO list
- [X] I've looked up my issue in FAQ
- [X] I've searched for an already existing issues here
- [X] I've tried running
master-labeled docker image and the issue still persists there - [X] I'm running a supported version of the application which is listed here
Describe the bug (actual behavior)
When i start kafka-ui through docker-compose i have problems viewing detailed topic view. When i go to my cluster -> topics and click the topic name, the page is visible for 2-5 seconds before i am redirected to http://localhost:8080/404
In the logs i see error Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
If i instead start kafka-ui with docker run and manually add the cluster through GUI, i do not face any problems at all.
docker run -it -p 8080:8080 -e DYNAMIC_CONFIG_ENABLED=true provectuslabs/kafka-ui
I have also tried adding DYNAMIC_CONFIG_ENABLED to docker-compose and validated the SASL_SSL settings in the GUI. When clicking "Validate" i am told the cluster config is valid.
I have verified that the following works as expected:
- Viewing topics schema in schema registry.
- Viewing all brokers at http://localhost:8080/ui/clusters/kreditt-bi/brokers
- Seeing all avaiable topics at http://localhost:8080/ui/clusters/kreditt-bi/all-topics?perPage=25 (including correct number of messages and partitions)
Note that i have added network_mode: host to my docker-compose because i was having DNS issues and were unable to resolve the bootstrap servers. All bootstrap servers and schema registry are self-hosted in company network with private dns.
Expected behavior
No response
Your installation details
Version v0.7.1
---
version: '2'
services:
kafka-ui:
container_name: kafka-ui
image: provectuslabs/kafka-ui:latest
network_mode: host
ports:
- 8080:8080
environment:
KAFKA_CLUSTERS_0_NAME: kreditt-bi
KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: REDACTED:9092,REDACTED:9092,hda-REDACTED:9092,hda-REDACTED:9092
KAFKA_CLUSTERS_0_SCHEMAREGISTRY: https://REDACTED
KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL: SASL_SSL
KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM: SCRAM-SHA-512
KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG: 'org.apache.kafka.common.security.scram.ScramLoginModule required username="REDACTED" password="REDACTED";'
KAFKA_CLUSTERS_0_SSL_TRUSTSTORE_LOCATION: /truststore.jks
KAFKA_CLUSTERS_0_SSL_TRUSTSTORE_PASSWORD: 'REDACTED'
KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_TYPE: JKS
KAFKA_CLUSTERS_0_SCHEMAREGISTRYSSL_TRUSTSTORELOCATION: /truststore.jks
KAFKA_CLUSTERS_0_SCHEMAREGISTRYSSL_TRUSTSTOREPASSWORD: 'REDACTED'
volumes:
- ./truststore.jks:/truststore.jks
Steps to reproduce
docker-compose -f docker-compose.yml up- Open localhost:8080
- Click "topics" under my cluster
- Click the topic name
Topic detailed view is visible for 2-5 seconds before i am redirected to 404 error page.
Screenshots
No response
Logs
Additional context
docker on rhel 8 distro
Hello there mvassli! 👋
Thank you and congratulations 🎉 for opening your very first issue in this project! 💖
In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Okay, I see. That's related to the schema registry, and there should be no difference between running it via plain docker or via docker-compose.
- Can you verify that you're running the same version both ways?
- Is your SR certificate a self-signed one?
Okay, I see. That's related to the schema registry, and there should be no difference between running it via plain docker or via docker-compose.
- Can you verify that you're running the same version both ways?
- Is your SR certificate a self-signed one?
- Yes, it is the same
- Yes, it is self-signed
Strange if the issue is related to certifiate as I am able to view the schema details @Â http://localhost:8080/ui/clusters/kreditt-bi/schemas/credit-card-status-change-v1-value
EDIT: I did a comparison of AdminClientConfig logged when starting app with plain docker and through docker-compose. Apart from different values for request.timeout, retries, client.id etc, config is more or less identical.
@mvassli that looks suspicious. Can you share the version hash from the upper left corner for both your instances?
@mvassli that looks suspicious. Can you share the version hash from the upper left corner for both your instances?
@Haarolean The same version for both. I am using latest docker tag.
I followed your instructions on adding truststore to config.yaml. I don't know why, but moving my config to a separate file resolved the problem with SunCertPathException. I can't see any obvious reasons why it should make a difference..
docker-compose.
---
version: '2'
services:
kafka-ui:
container_name: kafka-ui
image: provectuslabs/kafka-ui:latest
network_mode: host
ports:
- 8080:8080
environment:
SPRING_CONFIG_ADDITIONAL-LOCATION: /config.yml
volumes:
- ./truststore.jks:/truststore.jks
- ./config.yml:/config.yml
config.yml
kafka:
clusters:
-
name: REDACTED
bootstrapServers: REDACTED:9092,REDACTED:9092,REDACTED:9092,REDACTED:9092
schemaRegistry: https://REDACTED
properties:
security:
protocol: SASL_SSL
sasl:
jaas:
config: 'org.apache.kafka.common.security.scram.ScramLoginModule required username="REDACTED" password="REDACTED";'
mechanism: SCRAM-SHA-512
ssl:
truststore-location: /truststore.jks
truststore-password: REDACTED
schema-registry-ssl:
truststore-location: /truststore.jks
truststore-password: REDACTED
Hello! I have the same issue but in my case connecting to the schema registry that runs on HTTPS and requires the truststore to be there. I did all the possible tests, even added the config.yml as you suggested above but I still have the same issue connecting to the SR.
I even tried to add JAVA_OPTS=-Djavax.net.ssl.keyStoreType=JKS -Djavax.net.ssl.keyStore=/keystore.jks -Djavax.net.ssl.keyStorePassword=REDACTED -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStore=/truststore.jks -Djavax.net.ssl.trustStorePassword=REDACTED env variable specifying all the certificates, but nothing got resolved.
ssl:
truststore-location: /truststore.jks
truststore-password: REDACTED
This configuration above is necessary for the Kafka connection that is using SSL. If removed I cannot connect to Kafka and this is ok.
schema-registry-ssl:
truststore-location: /truststore.jks
truststore-password: REDACTED
This other configuration instead, for the schema registry doesn't work. Connecting to it, it complains for the unable to find valid certification path to requested target.
In my case I'm running kafka-ui in a docker container, with the certificates mounted. The certificates are issued by our internal company CA.
The interesting thing is that the Kafka connection with the truststore works perfectly. The same truststore for the SR doesn't work. It seems a configuration issue.
Do you have the same problem with the SR? Because I understood that your issue was connecting to Kafka.
Good afternoon, I ran into the same problem, a keycloak with self-written certificates was raised inside the network, I put it in trustore and it didn't help. Is it possible to disable ssl verification or change the issuer without tying to the url?
@SnikersFar this repo is not maintained (#4255). Happy to see your bug reports/discussions here: https://github.com/kafbat/kafka-ui . We're also available on discord