Kafka SSL handshake failed issue

Question

I am trying to enable SSL Authentication on my Kafka server. I am following 7.2 section in the Kafka documentation.

Followed all steps, but while calling the producer.bat file to send data in to the topic i get below error.

ERROR [Producer clientId=console-producer] Connection to node -1 failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)

Caused by: java.security.cert.CertificateException: No name matching localhost found

I did create the certificate with CN=localhost.

score 23 · Answer 1 · edited Feb 03 '21 at 18:34

23

The server host name verification may be disabled by setting ssl.endpoint.identification.algorithm to an empty string on the client.

edited Feb 03 '21 at 18:34

Gray

115,027
24
293
354

answered Dec 10 '18 at 19:14

charlb

1,076
9
18

3

I've got the same issue and set ssl.endpoint.identification.algorithm and listener.name.internal.ssl.endpoint.identification.algorithm to empty strings in the server.properties file, 'Custom kafka-broker' section of Ambari. I restarted Kafka on all 3 nodes yet this error persists. Any ideas? – ammills01 Feb 01 '19 at 15:40

score 4 · Answer 2 · edited Aug 05 '20 at 17:15

4

Just set ssl.endpoint.identification.algorithm= It can help you.

I.e with an empty value:

ssl.endpoint.identification.algorithm=

edited Aug 05 '20 at 17:15

selle

868
1
10
27

answered Aug 02 '19 at 01:46

macknight

57
2

1

a line which is "ssl.endpoint.identification.algorithm=" , do not add anything after = – macknight Aug 02 '19 at 01:47
1

Actually this is the solution. You need to leave the filed BLANK in order to skip the validation. Please note that doing this is considered a bad practice and should NEVER be used in production as it DISABLES ssl verification and opens an array of attacks. – patito Sep 10 '19 at 23:13

score 2 · Answer 3 · edited Mar 03 '21 at 18:24

2

Generally java.security.cert.CertificateException: No name matching localhost found means that the hostname in the certificate does not match the hostname of the server.

There is a great explanation of this error here: CertificateException: No name matching ssl.someUrl.de found

edited Mar 03 '21 at 18:24

Gray

115,027
24
293
354

answered Dec 04 '18 at 16:05

Filipe dos Santos

287
1
5
13

score 2 · Answer 4 · answered Jul 19 '20 at 10:41

2

For me it is an issue with input given to first name and last name for Keytool

answered Jul 19 '20 at 10:41

Venkateswararao T

305
1
13

score 1 · Answer 5 · answered Apr 08 '19 at 07:46

We encounterd the following errors, this might because the upgrade of Kafka's version from 1.x to 2.x.

javax.net.ssl.SSLHandshakeException: General SSLEngine problem ... javax.net.ssl.SSLHandshakeException: General SSLEngine problem ... java.security.cert.CertificateException: No name matching *** found

or

[Producer clientId=producer-1] Connection to node -2 failed authentication due to: SSL handshake failed

The default value for ssl.endpoint.identification.algorithm was changed to https, which performs hostname verification (man-in-the-middle attacks are possible otherwise). Set ssl.endpoint.identification.algorithm to an empty string to restore the previous behaviour. Apache Kafka Notable changes in 2.0.0

Solution: SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, ""

score 1 · Answer 6 · answered Aug 09 '22 at 10:40

1

When using Strimzi Kafka operator, use the cluster ca cert (add to jks truststore) to avoid this error. The client CA certificate was always throwing this error for me.

answered Aug 09 '22 at 10:40

Junaid

3,477
1
24
24

score 0 · Answer 7 · answered Jan 26 '23 at 15:04

I got this error because of connection problems. Cause by me firewall.

The connection can be checked with:
openssl s_client -debug -connect servername:port -tls1_2

Answer should be "Verify return code: 0 (ok) Other return codes could suggest that you have no access.

Kafka SSL handshake failed issue

7 Answers7

Linked