SSLHandshakeException with HTTPS Schema Registry

[riedelmax]

Hey Everyone,

I am trying to establish a connection to an HTTPS Schema Registry url. However, I get SSLHandshakeException.

config:

yamlApplicationConfig:
  kafka:
    clusters:
      - name: name
        bootstrapServers: bootstrap.url
        defaultKeySerde: SchemaRegistry
        defaultValueSerde: SchemaRegistry
        schemaRegistry: https://schemaregistry.url
        properties:
          security.protocol: SSL
          ssl.truststore.location: /ssl/kafka-user-secret/ca.crt
          ssl.truststore.type: PEM
          ssl.keystore.location: /ssl/kafka-user-secret/user.crt
          ssl.keystore.type: PEM

The brokers are mTLS secured, Schema Registry just uses TLS on server side without client authentication. The presented server certificates are signed by the same CA and this certificate is present in /ssl/kafka-user-secret/ca.crt. I already verified the certificate in two ways:

1. The broker connection is working and it is using the same truststore. Kafka UI shows topics and everything cluster related.
2. I used the same ca.crt to connect to the HTTPS Schema Registry url via curl. This also works fine.

The exception is The connection observed an error io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

During startup the AdminClientConfig values are printed to the log. They don't look suspicious:

ssl.cipher.suites = null
ssl.enabled.protocols = [TLSv1.2, TLSv1.3]
ssl.endpoint.identification.algorithm = https
ssl.engine.factory.class = null
ssl.key.password = null
ssl.keymanager.algorithm = SunX509
ssl.keystore.certificate.chain = null
ssl.keystore.key = null
ssl.keystore.location = /ssl/kafka-user-secret/user.crt
ssl.keystore.password = null
ssl.keystore.type = PEM
ssl.protocol = TLSv1.3
ssl.provider = null
ssl.secure.random.implementation = null
ssl.trustmanager.algorithm = PKIX
ssl.truststore.certificates = null
ssl.truststore.location = /ssl/kafka-user-secret/ca.crt
ssl.truststore.password = null
ssl.truststore.type = PEM

In the documentation it is stated that Kafka UI use the same truststore for Schema Registry, Broker and Connect. Am I missing something?

[pantaoran]

I have the same problem. It seems like maybe the configured truststore is used for connecting to the brokers, but the schema registry connection does not use it? I haven't tried looking at the code yet so I'm just guessing.