We are trying to push data from kafka topics to snowflake using sink connectors. But we are unable to create the connector and seeing the below warning
SEVERE: WARNING!!! Using fail-open to connect. Driver is connecting to an HTTPS endpoint without OCSP based Certificate Revocation checking as it could not obtain a valid OCSP Response to use from the CA OCSP responder. Details:
How can we bypass this certification validation/checking?
Related
CocoaMQTT client is running on iOS15 with the SSL enabled as shown in this example. The cert_key.p12 file was merged from the client.crt and client.key files signed by the same (self-created) CA that was used for the MQTT server/broker certificate generation. The MQTT broker is configured to require client's certificate and use its CN as the username. The handshake does not go well - the log complains about the unknown certificate:
New connection from 192.168.1.87 on port 8883.
OpenSSL Error[0]: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
Based on the above error research, the broker does not like the client's certificate, right? In fact, looking at the wireshark's log, it seems like the client does not send the certificate to the server. Is that something I need to enable in the App configuration? Does the Swift CocoaMQTT package even support this feature (provide the cert to the broker)?
EDIT:
I tried running a client with the same cert/key with paho mqtt implemented in python, which also allows to provide the client with the CA certificate, and everything runs ok:
Trying using the same client's cert/key in CocoaMQTT implemented in iOS15 shows the MQTT broker log error message as above and the fatal alert shows up the the wireshark log:
Initially, I thought that the sever did not like (or did not receive) the client's certificate, but that fatal alert package destination is port 8883. So now I tend to believe that it's the client, who does not like the server's certificate. This is expected if the client uses the pool of official CAs to verify the certificate instead of recognizing that its own certificate was issued by the same CA as the server's one. This is further confirmed by setting the allowUntrustCACertificate = true and seems like the handshake is suspended and no more communication occurs:
There's also a debug message on the client's side:
Call the SSL/TLS manually validating function
So it looks like the client will not continue the communication until this validation process occurs. As #Brits mentioned in his comment, there's a callback to validate the cert manually but it is implemented as a part of the delegate. I do see that there's a method mqtt.didReceiveTrust which I assume should be used for cert validation, and I wish to use the closures approach as stated on the README page as giving an example for the didReceiveMessage methond:
Now you can use closures instead of CocoaMQTTDelegate:
mqtt.didReceiveMessage = { mqtt, message, id in
print("Message received in topic \(message.topic) with payload \(message.string!)")
}
With a weak understanding of Swift Closures, I am not able to figure out how to make that function all, so the question now becomes: how to convert that function from the delegate definition into the closure?
The Node-Red flow is as follows:
Related attributes:
I have appended the Token string, why can’t I get a GET request?
The error is as follows:
"Error: unable to verify the first certificate : https://192.168.58.160:6443/api/v1/namespaces/nodes/"
If you enable SSL/TLS and create a SSL/TLS configuration for the connection you can either supply a CA certificate or disable Certificate verification.
How do you initialize a Solace Binder with Spring Cloud Stream where the connection AUTHENTICATION_SCHEME is AUTHENTICATION_SCHEME_GSS_KRB?
solace:
java:
host: tcp://.....
msgVpn: myvpn
client-username: username
apiProperties:
AUTHENTICATION_SCHEME: AUTHENTICATION_SCHEME_GSS_KRB
KRB_SERVICE_NAME: HOST
JaasLoginContext: SolaceGSS
Error Response (403) - No matching configured Authorization Group was found
The error indicates that the Client Authorization is failing. Client Authorization is different from Client Authentication.
Once a client connection to a Message VPN is successfully authenticated, access to the event broker resources and messaging capabilities within that Message VPN must be authorized for the client.
The default authorization method is Internal. It looks like you have set LDAP as the authorization method but there is no matching LDAP group for your client.
You can refer to the Solace documentation for more information on configuring LDAP Authorization.
Trying to make Kafka Cluster Kerberos-aware. However, I keep getting auth errors when I try to start Kafka Server.
The easiest way to ask this question for me is by splitting down into 3 questions.
Is there any software that needs to be on the server before one can start working on kerberising some service; Apache Kafka in my case (prerequisite software).
Why is the Kafka server trying to authenticate on start-up? and with what? (the error suggests it is trying to connect to Zookeeper).
ERROR An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state. (org.apache.zookeeper.client.ZooKeeperSaslClient).
Does Zookeeper need to be kerberised as well for Kafka server to be kerberised?
I Have a Spray Scala project. I am doing HTTPS connection with Self Signed Certificate (.jks) to this project through REST call. I referred this link Configuration issue for Spray https server with self-signed certificate? to configure spray to https server. so when i run my project it reads .jks certificates but when i fire request it gives following error :
Aborting encrypted connection to /192.168.1.3:46346 due to [SSLException:Unrecognized SSL message, plaintext connection?]
I found the answer. so when i configured spray to HTTPS it cant accept the HTTP requests it accepts only HTTPS requests.