function read_ssl_file doesn't support chained certificates

[artur-fijalkowski]

This is not mentioned explicitly in README.md, but read_ssl_file function doesn't support chained certificates. In *NIX environment this is very common that *.pem file contains multiple certificates concatenated together (eg. root CA + intermediate CA).

fluent-plugin-kafka/lib/fluent/plugin/kafka_plugin_util.rb

Line 35 in d0d9bbf

def read_ssl_file(path)

This is (most probably) easy to fix by splitting file during read on BEGIN CERTIFICATE line.

[repeatedly]

I'm not sure this should be fixed in fluent-plugin-kafka or ruby-kafka.
Does this mean ruby-kafka supports chained certificates but fluent-plugin-kafka doesn't use it or ruby-kafka should accept chained certificates?

[artur-fijalkowski]

I think that because ruby-kafka expects to get array of certificates and actual file read is in fluent-plugin-kafka the plugin is proper place for implementation. Also current documentation is a bit misleading. As it doesn't say anything about lack of chaining support (neither that ssl_ca_cert is an array of files).

[syedriko]

There is a workaround: split the CA bundle file into individual PEM files and specify them as an array in fluent-plugin-kafka config:

ssl_ca_cert ["root_ca.crt", "intermediate_ca.crt"]

This takes advantage of

fluent-plugin-kafka/lib/fluent/plugin/kafka_plugin_util.rb

Line 38 in da73a50

if path.is_a?(Array)

[syedriko]

I'm working on a proper fix.

[github-actions]

This issue has been automatically marked as stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 30 days

[syedriko]

#390 is the PR tracking work on this issue, hopefully that'll un-stale it.

[ashie]

Fixed by #410