How to use Let's Encrypt issued certificate with bitnami Kafka

We're using 'ssl_tls' mechanism with bitnami/kafka helm chart. We're using Let's Encrypt and cert-manager for issuing the certificate. Created a secret out of the let's Encrypt generated certificates and passed the secret to theexistingSecrets parameter in the helm chart. Now when I'm using KafkaJS library to connect to the Kafka broker, with ssl: true it is throwing an error:

KafkaJSConnectionError: Connection error: unable to verify the first certificate

Detailed Steps/How to generate:

  • Enabled external access to kafka chart so that it gives us an IP at port 9094
externalAccess.enabled: true
externalAccess.autoDiscovery.enabled: true
externalAccess.service.type: LoadBalancer
externalAccess.service.ports.external: 9094
externalAccess.service.domain: ""
  • Bound this IP to a domain
  • Bound this domain name to Let's Encrypt certificate issuer to issue certificate for this domain
  • tls.crt and tls.key are generated
  • Renamed these files and used these to create a secret
kubectl create secret generic kafka-tls-0 --from-file=tls.crt=kafka-0.tls.crt --from-file=tls.key=kafka-0.tls.key
  • Modified chart value to configure tls part
tls.type: pem
tls.pemChainIncluded: true
tls.existingSecrets: ["kafka-tls-0"]
  • Applied the values of the chart (started broker)
  • Now in KafkaJS client setup, tried to pass value to the brokers parameter in either format ip:9094 or, also passed ssl:true

My Questions:

  1. Is the flow correct? Or are we going to the wrong direction?
  2. What is the reason behind the problem? Is this the certificate chain that is being being wrong? (seems like it is!)

Followup Question:

  1. If we can make it work, what will be the next steps for ensuring auto-renewal of the certificates? Is it managed automatically? Or should we have to maintain a script for Lets' Encrypt certificate auto-renewal?

I've re-edited your post as I fail to see what purpose beside spam your edit had.

Your issue might be way too specific for this Community. I recommend to also look for support at Kafka specific support channels, if you haven't done so already. In the mean while you're welcome to wait until perhaps some other volunteer does have some experience and insight into Kafka.

Also, the questionnaire from the #help section, which you didn't get or have deleted, mentions it's required to provide the actual hostname so volunteers can check things like certs and chains remotely. However, you haven't provided anything, so there's nothing to remotely check.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.