Troubleshoot Mutual TLS (mTLS) issues in Confluent Cloud¶
Review the following to troubleshoot issues frequently encountered when connecting to Confluent Cloud using mTLS. If you are unable to resolve issues using the information below, contact Confluent Support.
TLS client connection behavior¶
The following listings describe the behavior of the TLS client when connecting to Confluent Cloud using mTLS.
- Context is a single Confluent Cloud organization.
- “N/A” means that the state of the subject is not considered.
Early Access¶
During Early Access only:
Certificate revocation can only be done directly using the filter to immediately remove access to revoked certificates.
The client certificate chain is not automatically built, if not provided.
If only a leaf certificate is provided, the following error might occur:
Must be only one matching identity provider found when building principal for mTLS authenticated client of AuthenticationException.
To resolve this issue, provide the full leaf-to-root certificate chain.
Client connection behavior (TLS)¶
| Client connection (TLS) | Identity providers (for CA certificates) [server state] | Certificate identity pools (of identity provider) [server state] | Permission on certificate identity pool (to perform action on resource) [server state] | Outcome (client-side) | Explanation |
|---|---|---|---|---|---|
| Without keystore | N/A | N/A | N/A | Request timed out | The client doesn’t provide a certificate, so it doesn’t have authentication information, resulting in a timed out response. |
| With keystore but client certificate is expired | N/A | N/A | N/A | TLS handshake error | Because the client certificate is expired, the TLS handshake fails. |
| With keystore and client certificate is not expired | No identity provider | N/A | N/A | Request timed out | The server doesn’t have information to verify the client certificate, resulting in an authentication error that leads to a timed out response. |
| With keystore and client certificate is not expired | Identity provider signs client certificate but CA certificates are expired | N/A | N/A | Request timed out | Confluent routinely removes expired CA certificates from the truststore. Just like the no identity provider situation, this leads to a timed out response on the client. If the CA needs to be revoked immediately, then the corresponding certificate authority can be deleted from the Confluent Cloud organization after removing the CA’s attached certificate identity pools. |
| With keystore and client certificate is not expired | Identity provider signs client certificate | No matching certificate identity pool found | N/A | Request timed out | When no certificate identity pool is found for the identity provider, an authentication error occurs, leading to a timed out response for the client. |
| With keystore and client certificate is not expired | Identity provider signs client certificate | With certificate identity pool | No | Authorization error | If the principal doesn’t have permission to perform an action on a resource, an authorization error is expected. |
| With keystore and client certificate is not expired | Identity provider signs client certificate | With certificate identity pool | Yes | Request successful | The client is authenticated successfully. |
| With librdkafka-based SSL/SASL_SSL client | Identity provider signs client certificate | Without certificate identity pool | No | TLS handshake error | Confirm that the corresponding certificate authority configured in Confluent Cloud contains the signing certificate of the client certificate in the client keystore. |