Client Changes Needed for Upcoming Confluent Cloud Certificate Authority (CA) Change
Incident Report for Confluent Cloud
Resolved
This incident has been resolved. Any residual issues found should be raised with Confluent Support. Please contact our support team at support@confluent.io, or open a ticket through our support portal at support.confluent.io.
Posted Oct 01, 2021 - 13:45 UTC
Monitoring
To minimize the impact on clients connecting to Confluent Cloud, Confluent has removed one of the CA (DST Root CA X3) to prevent non-java clients from breaking due to an OpenSSL bug. This action was completed on September 30th, at 6:30 AM PST.

Please view this article: https://support.confluent.io/hc/en-us/articles/4407646882708-Client-Changes-Needed-for-Upcoming-Confluent-Cloud-CA-Change

If you have any questions or concerns about this change, please contact our support team at support@confluent.io, or open a ticket through our support portal at support.confluent.io
Posted Sep 30, 2021 - 19:33 UTC
Identified
There is an upcoming change to the Certificate Authority (CA) used to sign TLS certificates for all Confluent Cloud resources. All Confluent Cloud clusters, schema registries, and API endpoints support TLS to ensure encryption from connecting clients.

Let’s Encrypt, the Certificate Authority, has been transitioning the Root CA used to sign certificates from IdenTrust (DST Root CA X3) to the ISRG (ISRG Root X1) CA. As a result, the certificates served by Confluent Cloud will be signed by the new CA moving forward. The DST Root CA X3 certificate is set to expire Sep 30 14:01:15 2021 GMT

Am I affected by this change?

-Java client
-For Java users specifically, this means using a Java version of at least 7u151 or 8u141 to avoid impact.
-For clients or applications that leverage custom certificate trust stores to establish trust, you should ensure the ISRG Root X1 is included in your truststore.
Full details are available here: https://support.confluent.io/hc/en-us/articles/360061428611

-Librdkafka and other clients
-Customers using librdkafka or other client libraries that interact with Confluent Cloud and utilize the operating system truststore, backed by an openssl/libssl version of 1.0.2 or lower are exposed. Version 1.1.1 needs to be used to avoid impact.
-For clients or applications that leverage custom certificate trust stores to establish trust, you should ensure the ISRG Root X1 is included in your truststore.
Full details are available here: https://support.confluent.io/hc/en-us/articles/4407072704404

If you have any questions or concerns about this change, please contact our support team at support@confluent.io, or open a ticket through our support portal at support.confluent.io.
Posted Sep 27, 2021 - 23:08 UTC
This incident affected: Confluent Cloud.