Confluent Cloud utilizes Let’s Encrypt Certificates for Confluent Cloud resources secured with TLS encryption over the wire such as Kafka cluster endpoints, Schema Registry, and the Metrics API.
Since early 2021, these certificates have been signed by a new intermediate certificate, Let's Encrypt R3, which is signed by the ISRG Root X1 certificate, a certificate widely trusted by current operating systems, client libraries and trust stores.
In order to retain maximum compatibility with older clients and operating systems, Let's Encrypt cross-signed ISRG Root X1 with the very broadly trusted DST Root CA X3 certificate:
Server Certificate -> Let's Encrypt R3 -> ISRG Root X1 -> DST Root CA X3
The DST Root CA X3 certificate is set to expire Sep 30 14:01:15 2021 GMT. This will not impact the majority of clients, which already trust the ISRG Root X1 certificate. A bug in older versions of OpenSSL (and libssl), versions 1.0.x (1.0.2 and older) means the library will refuse server trust once the DST Root CA X3 certificate has expired, if that certificate remains in the client trust store, regardless of root trust of ISRG Root X1.
This bug was fixed in OpenSSL 1.1.0 and that version and newer are not impacted by this problem.
Am I affected by this change?
This notification is specifically for customers using librdkafka or other client libraries that interact with Confluent Cloud and utilize the operating system truststore, backed by an openssl version of 1.0.2 or lower.
To minimize the impact on clients connecting to Confluent Cloud, Confluent has removed one of the CA(DST Root CA X3) which prevents non-java clients from breaking due to an OpenSSL bug. This action has been completed on September 30th, at 6:30 AM PST.
How do I mitigate this?
Ensure ISRG Root X1 is part of your truststore.
For example, on installations based on RedHat Linux 7, CentOS 7, or Amazon Linux 2, you should validate the following files include the ISRG Root X1 certificate:
-
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Validate both files include the ISRG Root X1 certificate, marked by:
# ISRG Root X1
-----BEGIN TRUSTED CERTIFICATE--
................................
-----END TRUSTED CERTIFICATE-----
If you are using a custom truststore, assure the ISRG Root X1 is part of the custom truststore.
If you have any questions or concerns about this change, please contact our support team by clicking "Submit a Request" on the top right of this site.