Support self signed certificates
hguerrero opened this issue · comments
When connecting to cluster using TLS, the certificate might be a self-signed cert.
Today we receive an error, but there is no documentation on how to configure the cert to validate it.
#86 still open and tries to address SASL_SSL, so I guess it should fix the usage of any TLS endpoint. However, I suggest using this issue to track the specifics of using self-signed certs within any TLS type of config.
I have same problem. At #86 I didn't find solution.
Yes sure, it's just some discussion. The issue which implements the idea with certificate (and another configuration) is #88
But please note if you have the capability to write a vscode extension, you can contribute to vscode-kafka with your cluster configuration. You extension could create the proper kafka config with the proper certificate https://kafka.js.org/docs/configuration#ssl
If you are interested to write your own vscode extension, please see the sample at https://github.com/angelozerr/vscode-kafka-extension-sample/blob/f3470cb0ab8777085e256571eeecc20fd77a7a83/src/extension.ts#L106
For the moment, there is no a robust documentation,please add comment in #129 if you need a documentation.
However, I suggest using this issue to track the specifics of using self-signed certs within any TLS type of config.
Ok thanks for your suggestion.
@hguerrero can you try the CI build from https://github.com/jlandersen/vscode-kafka/actions/runs/987534310 and give some feedback?
@hguerrero please note that there is a bug with ca, cert, key file save settings. Once you have selected the file, please add a space and remove a space on each file fields before saving. I'm fixing that.
Sure, I'll give it a try
Hey, @angelozerr what type of file do I need to get for the certificate authority? right now I tried, crt, pem, and keystore but I'm not able to select any using the browse button.
Its a mistake that i did. I need to add another file extensions. Please use the expected file extension for the moment by renaming your file extension. I will fix that soon
Ok, adding the full path in the textbox worked.
Awesome work folks!
I was able to connect with no trouble
@hguerrero was your certificate self-signed?
Yes, it was @fbricon
Cool, thanks. FYI, @angelozerr has made some more improvements to the proposed changes, including fixing the file browsing. You can try a newer build from https://github.com/jlandersen/vscode-kafka/actions/runs/994037689
@fbricon I tested the new version, but unfortunately is not working.
Looks like when using the browse button:
- I can now select my file
- The file does not show in the textbox
- When I click on
Finishthe server is created but the cert is not linked
So, when trying to connect to my cluster I still get the self-signed cert error.
If I add manually the path in the textbox, as I did with the previous version it works.
@hguerrero what OS are you on?
@hguerrero have you tried the latest build from https://github.com/jlandersen/vscode-kafka/actions/workflows/ci.yml?query=is%3Asuccess ?
@hguerrero what OS are you on?
MacOS Big Sur v11.4
@hguerrero have you tried the latest build from https://github.com/jlandersen/vscode-kafka/actions/workflows/ci.yml?query=is%3Asuccess ?
No, used the 6days old, let me try with the one from 1hr ago.
Ok, I can confirm that the latest build (700) worked correctly.
Fixed with #193
Hi guys! First of all, thank you for making kafka available in vs code. I'm really looking forward to ditching the expensive conduktor I have to use through VNC. However I'm getting this error as well. I might have more than just this issue though - not sure:
- I have this issue and I don't understand how I'm supposed to fix it
- In conduktor I simply have to point to my truststore.jks file. I converted it using this method. However this only creates a single PEM file. And I'm prompted for three different files in your setup:
not really sure which one to pick or if I'm missing files? Any help would be greatly appreciated! <3
I'm on Windows 10 Enterprise with a remote to a VM running Ubuntu 18.04.4 LTS btw :)
@kasperschnack to be honnest with you, I have none knowledge about JKS, etc. I have just consumed the kafkajs API and the expected tls ConnectionOptions :
vscode-kafka/src/client/client.ts
Line 491 in 06b74ed
If it requires some changes, any feedback are welcome, thanks!
Cannot connect using v0.15.0
Cannot find old build for v0.13.0
The certificate I issued does not have correct hostnames, more than that, I'm playing with cluster of 3 brokers.
Need to have ability to bypass host validation.
Failed operation - Connection error: Hostname/IP does not match certificate's altnames: IP: is not in the cert's list
To install a prior version:
