{ "id": "kafka/ssl-certificate-verification-failed", "signature": "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", "signature_zh": "javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX 路径构建失败:无法找到请求目标的有效证书路径", "regex": "SSLHandshakeException.*PKIX path building failed", "domain": "kafka", "category": "auth_error", "subcategory": null, "root_cause": "The Kafka client cannot verify the broker's SSL certificate because the CA certificate is missing from the truststore.", "root_cause_type": "generic", "root_cause_zh": "Kafka 客户端无法验证代理的 SSL 证书,因为信任库中缺少 CA 证书。", "versions": [ { "version": "2.8.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "3.0.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "3.4.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Setting ssl.endpoint.identification.algorithm to empty disables hostname verification but does not fix the missing certificate chain.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "", "why_fails": "Restarting the client or broker does not install missing CA certificates.", "fail_rate": 0.95, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Import the broker's CA certificate into the client's truststore:\nkeytool -import -trustcacerts -alias broker-ca -file ca.crt -keystore client.truststore.jks -storepass changeit -noprompt\nThen configure the client with ssl.truststore.location and ssl.truststore.password.", "success_rate": 0.95, "how": "Import the broker's CA certificate into the client's truststore:\nkeytool -import -trustcacerts -alias broker-ca -file ca.crt -keystore client.truststore.jks -storepass changeit -noprompt\nThen configure the client with ssl.truststore.location and ssl.truststore.password.", "condition": "", "sources": [] }, { "action": "If using Java, set the truststore globally via JVM properties:\n-Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit", "success_rate": 0.9, "how": "If using Java, set the truststore globally via JVM properties:\n-Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit", "condition": "", "sources": [] } ], "workarounds_zh": [ "Import the broker's CA certificate into the client's truststore:\nkeytool -import -trustcacerts -alias broker-ca -file ca.crt -keystore client.truststore.jks -storepass changeit -noprompt\nThen configure the client with ssl.truststore.location and ssl.truststore.password.", "If using Java, set the truststore globally via JVM properties:\n-Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://kafka.apache.org/documentation/#security_ssl", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.87, "fix_success_rate": 0.93, "resolvable": "true", "first_seen": "2023-08-05", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }