Hi Luke,
We are using Kafka 2.8.1 Broker/Client system in our prod environment with
SASL_SSL communication between Kafka Clients and Broker. We are using the IP
for the property “bootstrap.servers” while initiating the KafkaConsumer. Due to
some reason, one of our Customer is unable to use the IP in the CA certificate
and provided only hostname in the SAN entry in the certificate due to which he
is getting following exception in the logs:
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names
matching IP address xx.xx.xx.xx found
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at
sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
Even after disabling the hostname verifier, he is unable to send the data from
Client to broker. He has also added the Ip – hostname of the broker entry in
/etc/hosts file
Can you please let us know:
1. Is IP and DNS both field mandatory in SAN for Kafka Certificates?
2. If no, why the communication is failing without the IP?
Regards,
Deepak Jain
Cumulus Systems
