Kafka SSL handshake failed issue

M

7

14

I am trying to enable SSL Authentication on my Kafka server. I am following 7.2 section in the Kafka documentation.

Followed all steps, but while calling the producer.bat file to send data in to the topic i get below error.

ERROR [Producer clientId=console-producer] Connection to node -1 failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)

Caused by: java.security.cert.CertificateException: No name matching localhost found

I did create the certificate with CN=localhost.

Matzo answered 4/12, 2018 at 13:50 Comment(0)

P

24

The server host name verification may be disabled by setting ssl.endpoint.identification.algorithm to an empty string on the client.

Piegari answered 10/12, 2018 at 19:14 Comment(1)

I've got the same issue and set ssl.endpoint.identification.algorithm and listener.name.internal.ssl.endpoint.identification.algorithm to empty strings in the server.properties file, 'Custom kafka-broker' section of Ambari. I restarted Kafka on all 3 nodes yet this error persists. Any ideas? – Probate 1/2, 2019 at 15:40

F

5

Just set ssl.endpoint.identification.algorithm= It can help you.

I.e with an empty value:

ssl.endpoint.identification.algorithm=

Fabrice answered 2/8, 2019 at 1:46 Comment(2)

a line which is "ssl.endpoint.identification.algorithm=" , do not add anything after = – Fabrice 2/8, 2019 at 1:47

Actually this is the solution. You need to leave the filed BLANK in order to skip the validation. Please note that doing this is considered a bad practice and should NEVER be used in production as it DISABLES ssl verification and opens an array of attacks. – Cindicindie 10/9, 2019 at 23:13

E

2

Generally java.security.cert.CertificateException: No name matching localhost found means that the hostname in the certificate does not match the hostname of the server.

There is a great explanation of this error here: CertificateException: No name matching ssl.someUrl.de found

Estrella answered 4/12, 2018 at 16:5 Comment(0)

M

2

For me it is an issue with input given to first name and last name for Keytool

Marco answered 19/7, 2020 at 10:41 Comment(0)

K

1

We encounterd the following errors, this might because the upgrade of Kafka's version from 1.x to 2.x.

javax.net.ssl.SSLHandshakeException: General SSLEngine problem ... javax.net.ssl.SSLHandshakeException: General SSLEngine problem ... java.security.cert.CertificateException: No name matching *** found

or

[Producer clientId=producer-1] Connection to node -2 failed authentication due to: SSL handshake failed

The default value for ssl.endpoint.identification.algorithm was changed to https, which performs hostname verification (man-in-the-middle attacks are possible otherwise). Set ssl.endpoint.identification.algorithm to an empty string to restore the previous behaviour. Apache Kafka Notable changes in 2.0.0

Solution: SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, ""

Kept answered 8/4, 2019 at 7:46 Comment(0)

E

1

When using Strimzi Kafka operator, use the cluster ca cert (add to jks truststore) to avoid this error. The client CA certificate was always throwing this error for me.

Einstein answered 9/8, 2022 at 10:40 Comment(0)

L

0

I got this error because of connection problems. Cause by me firewall.

The connection can be checked with:
openssl s_client -debug -connect servername:port -tls1_2

Answer should be "Verify return code: 0 (ok) Other return codes could suggest that you have no access.

Lovett answered 26/1, 2023 at 15:4 Comment(0)

Recommended topics

Hot tags