kafka
auth_error
ai_generated
true
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
ID: kafka/ssl-certificate-verification-failed
93%Fix Rate
87%Confidence
1Evidence
2023-08-05First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| 2.8.0 | active | — | — | — |
| 3.0.0 | active | — | — | — |
| 3.4.0 | active | — | — | — |
Root Cause
The Kafka client cannot verify the broker's SSL certificate because the CA certificate is missing from the truststore.
generic中文
Kafka 客户端无法验证代理的 SSL 证书,因为信任库中缺少 CA 证书。
Official Documentation
https://kafka.apache.org/documentation/#security_sslWorkarounds
-
95% success Import the broker's CA certificate into the client's truststore: keytool -import -trustcacerts -alias broker-ca -file ca.crt -keystore client.truststore.jks -storepass changeit -noprompt Then configure the client with ssl.truststore.location and ssl.truststore.password.
Import the broker's CA certificate into the client's truststore: keytool -import -trustcacerts -alias broker-ca -file ca.crt -keystore client.truststore.jks -storepass changeit -noprompt Then configure the client with ssl.truststore.location and ssl.truststore.password.
-
90% success If using Java, set the truststore globally via JVM properties: -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
If using Java, set the truststore globally via JVM properties: -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
中文步骤
Import the broker's CA certificate into the client's truststore: keytool -import -trustcacerts -alias broker-ca -file ca.crt -keystore client.truststore.jks -storepass changeit -noprompt Then configure the client with ssl.truststore.location and ssl.truststore.password.
If using Java, set the truststore globally via JVM properties: -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
Dead Ends
Common approaches that don't work:
-
70% fail
Setting ssl.endpoint.identification.algorithm to empty disables hostname verification but does not fix the missing certificate chain.
-
95% fail
Restarting the client or broker does not install missing CA certificates.