Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deploying kafka trigger to Windows Premium app using eventhubs kafka heads gives ssl cert error #173

Open
hannesne opened this issue Sep 16, 2020 · 2 comments
Open

Deploying kafka trigger to Windows Premium app using eventhubs kafka heads gives ssl cert error #173

hannesne opened this issue Sep 16, 2020 · 2 comments
Labels
bug Something isn't working

Comments

@hannesne
Copy link

I'm getting the following error in my logs when deployed to a windows based Premium function app: sasl_ssl://hnltestbkend3wepfx-std.servicebus.windows.net:9093/bootstrap: SSL handshake failed: .\ssl\s3_clnt.c:1269: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Any idea how to fix this?
@TsuyoshiUshio TsuyoshiUshio added bug Something isn't working and removed Needs: triage (functions) labels Sep 16, 2020
@TsuyoshiUshio
Copy link
Contributor

Hi @hannesne Sorry for inconvenience. It looks the bug of the libkafka.
It happens only on Premium (Windows). When I test my PC on Windows, it works. Probably related this issue. confluentinc/librdkafka#3025

confluentinc/confluent-kafka-dotnet#1374

For the work around, You can do like this. I tested, and it works with EventHubs and Premium Windows

  1. Add SslCaLocation
    [KafkaTrigger(
            "LocalBroker",
            "%EHTOPIC%",
            ConsumerGroup = "$Default",
            Username = "$ConnectionString",
            Password = "%EventHubConnectionString%",
            Protocol = BrokerProtocol.SaslSsl,
            SslCaLocation = "cacert.pem",                                      // <- Added this line.
            AuthenticationMode = BrokerAuthenticationMode.Plain)] KafkaEventData<string> kafkaEvent,

cacert.pem on your project with Copy always.

image

The certificate is for EventHubs. That is already included on the NuGet package. I tested with

    <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.Kafka" Version="3.1.0" />

@TsuyoshiUshio
Copy link
Contributor

I also tested with Confluent Cloud. It was the same.
For the Confluent Cloud,

  1. Download CA certificate (i.e. from https://curl.haxx.se/ca/cacert.pem).
  2. Rename the cacert.pem to confluent_cloud_cacert.pem avoid conflict with existing EventHubs Kafka certificate that is part of the extension.
  3. Include the file in the project, setting "copy always"
  4. Set SslCaLocation = "confluent_cloud_cacert.pem",

@TsuyoshiUshio TsuyoshiUshio pinned this issue Sep 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TsuyoshiUshio @hannesne