Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to retrieve OIDC token from Let's Encrypt https endpoint #694

Open
Syndlex opened this issue Jun 7, 2024 · 1 comment
Open

Failed to retrieve OIDC token from Let's Encrypt https endpoint #694

Syndlex opened this issue Jun 7, 2024 · 1 comment

Comments

@Syndlex
Copy link

Syndlex commented Jun 7, 2024

Hey, I don't fully know if this is correct here or if it should be in the librdkafka.

We wand to connect to a Kafka that is protected by https://github.com/strimzi/strimzi-kafka-oauth

This is the setup within the configuration:

config.set("sasl.mechanisms", "OAUTHBEARER");
config.set("sasl.oauthbearer.method", auth_config.method.to_string());
config.set("sasl.oauthbearer.client.id", auth_config.client_id.to_string());
config.set("sasl.oauthbearer.client.secret", auth_config.client_secret.to_string());
config.set("sasl.oauthbearer.token.endpoint.url", auth_config.token_endpoint_url.to_string());
config.set("enable.ssl.certificate.verification", "false");

My System uses Ubuntu 22.04

Cargo.toml is:

rdkafka = { version = "0.36.2", features = ["curl", "ssl", "gssapi", "cmake-build"] }

The Error that i get on runtime is:

Failed to retrieve OIDC token from "https://accounts.varta-ag.com/realms/varta-dev/protocol/openid-connect/token": SSL certificate problem: unable to get local issuer certificate (-1)

I thing this has to do with curl not knowing the CA Let's Encrypt certificate. But I am not fully sure.
I tried setting different env Variables to configure the curl setup.
I also loaded the lets encrypt cert and ca into my /etc/ssl/certs/ folder.

I found this issue but i think that is the setup against the Broker not against the token endpoint.
confluentinc/librdkafka#1814

I also found this stackoverflow where the error fits but i can not adapt any solution to rust:
https://stackoverflow.com/questions/24611640/curl-60-ssl-certificate-problem-unable-to-get-local-issuer-certificate?page=2&tab=scoredesc#tab-top
@Syndlex
Copy link
Author

Syndlex commented Jun 17, 2024

So I figured it out.

This was just a linking Problem with cmake libcurl and OpenSSL.
I use "dynamic-linking" now and installed librdkafka from confluentic.

With every other configuration I got:

(Client config error: Configuration property "sasl.oauthbearer.method" not supported in this build: OAuth/OIDC depends on libcurl and OpenSSL which were not available at build time sasl.oauthbearer.method oidc)

On my side this Issue can be closed unless @fede1024 wants to investigate this problem and needs help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Syndlex