Upcoming Apache Kafka on Heroku CA Certificate Rotation starting July 31, 2017
Change effective on 17 July 2017
Heroku needs to rotate the CA certificates involved in authentication from time to time, in order to keep services secure and up to date. A rotation of this sort is due for the Kafka clusters managed by Heroku.
The KAFKA_TRUSTED_CERT environment variable used when connecting to an Apache Kafka cluster will start containing multiple PEM encoded certificates on July 31st, 2017. Starting two weeks after that, the week of August 14th, clusters will start undergoing Certificate Authority (CA) certificate rotation.
Please refer to our Dev Center documentation to understand how various client libraries should handle this.
Here is the full timeline:
- Beginning the week of July 31st 2017: clusters will receive two certificates in the
KAFKA_TRUSTED_CERTconfig var. This is only a config var change, but is necessary to ensure that certificates can be rotated without a large potential impact to your application. - Beginning the week of August 14th 2017: clusters will undergo CA certificate rotation. During this time, the
KAFKA_TRUSTED_CERT,KAFKA_CLIENT_CERTandKAFKA_CLIENT_CERT_KEYconfig vars will receive updates, and the clusters will receive rolling broker restarts.
To best handle these changes, ensure that your application:
- Handles Apache Kafka on Heroku config vars changing: https://devcenter.heroku.com/articles/add-ons#config-var-values-can-change
- Follows our best practices for building and running robust Kafka based applications: https://devcenter.heroku.com/articles/robust-kafka
- Handles multiple certificates in
KAFKA_TRUSTED_CERT: https://devcenter.heroku.com/articles/ca-cert-rotation-kafka