Setting up Cassandra with PEMBasedSslContextFactory results in error
Author: errieman
Originally Sourced from: https://stackoverflow.com/questions/79813097/setting-up-cassandra-with-pembasedsslcontextfactory-results-in-error
I followed the guide for setting up client to server encryption with the PEMBasedSslContextFactory for Cassandra at https://cassandra.apache.org/doc/stable/cassandra/managing/operating/security.html#using-pem-based-key-material. However it results in the following error:
ERROR [main] 2025-11-08 09:43:19,527 CassandraDaemon.java:887 - Exception encountered during startup
org.apache.cassandra.exceptions.ConfigurationException: Failed to initialize SSL
at org.apache.cassandra.config.DatabaseDescriptor.applySslContext(DatabaseDescriptor.java:1283)
at org.apache.cassandra.config.DatabaseDescriptor.applyAll(DatabaseDescriptor.java:468)
at org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:262)
at org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:246)
at org.apache.cassandra.service.CassandraDaemon.applyConfig(CassandraDaemon.java:780)
at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:723)
at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:865)
Caused by: java.io.IOException: Failed to create SSL context using Native transport
at org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java:414)
at org.apache.cassandra.config.DatabaseDescriptor.applySslContext(DatabaseDescriptor.java:1278)
... 6 common frames omitted
Caused by: javax.net.ssl.SSLException: Failed to build key manager store for secure connections
at org.apache.cassandra.security.PEMBasedSslContextFactory.buildKeyManagerFactory(PEMBasedSslContextFactory.java:261)
at org.apache.cassandra.security.PEMBasedSslContextFactory.buildKeyManagerFactory(PEMBasedSslContextFactory.java:223)
at org.apache.cassandra.security.AbstractSslContextFactory.createNettySslContext(AbstractSslContextFactory.java:186)
at org.apache.cassandra.security.SSLFactory.createNettySslContext(SSLFactory.java:170)
at org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java:364)
... 7 common frames omitted
Caused by: javax.net.ssl.SSLException: Must provide outbound_keystore or outbound_private_key in configuration for PEMBasedSSlContextFactory
at org.apache.cassandra.security.PEMBasedSslContextFactory.buildKeyManagerFactory(PEMBasedSslContextFactory.java:256)
... 11 common frames omitted
The configuration I am using is as follows:
client_encryption_options:
ssl_context_factory:
class_name: org.apache.cassandra.security.PEMBasedSslContextFactory
keystore: /etc/letsencrypt/live/example.com/combined.pem
truststore: /etc/letsencrypt/live/example.com/chain.pem
enabled: True
require_client_auth: False
optional: false
Where example.com replaces the actual domain name being used. The file combined.pem contains the fullchain + the private key in that order.
When I add outbound_keystore to either the parameters for the factory or to client_encryption_options it says that the option shouldn't be in either and that I should remove it.
Can someone help me find out what I am missing?
