kafka
auth_error
ai_generated
true
javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX 路径构建失败:无法找到请求目标的有效证书路径
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
ID: kafka/ssl-certificate-verification-failed
93%修复率
87%置信度
1证据数
2023-08-05首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| 2.8.0 | active | — | — | — |
| 3.0.0 | active | — | — | — |
| 3.4.0 | active | — | — | — |
根因分析
Kafka 客户端无法验证代理的 SSL 证书,因为信任库中缺少 CA 证书。
English
The Kafka client cannot verify the broker's SSL certificate because the CA certificate is missing from the truststore.
官方文档
https://kafka.apache.org/documentation/#security_ssl解决方案
-
Import the broker's CA certificate into the client's truststore: keytool -import -trustcacerts -alias broker-ca -file ca.crt -keystore client.truststore.jks -storepass changeit -noprompt Then configure the client with ssl.truststore.location and ssl.truststore.password.
-
If using Java, set the truststore globally via JVM properties: -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
无效尝试
常见但无效的做法:
-
70% 失败
Setting ssl.endpoint.identification.algorithm to empty disables hostname verification but does not fix the missing certificate chain.
-
95% 失败
Restarting the client or broker does not install missing CA certificates.