# javax.net.ssl.SSLHandshakeException：sun.security.validator.ValidatorException：PKIX 路径构建失败：无法找到请求目标的有效证书路径

- **ID:** `kafka/ssl-certificate-verification-failed`
- **领域:** kafka
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 93%

## 根因

Kafka 客户端无法验证代理的 SSL 证书，因为信任库中缺少 CA 证书。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| 2.8.0 | active | — | — |
| 3.0.0 | active | — | — |
| 3.4.0 | active | — | — |

## 解决方案

1. ```
   Import the broker's CA certificate into the client's truststore:
keytool -import -trustcacerts -alias broker-ca -file ca.crt -keystore client.truststore.jks -storepass changeit -noprompt
Then configure the client with ssl.truststore.location and ssl.truststore.password.
   ```
2. ```
   If using Java, set the truststore globally via JVM properties:
-Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
   ```

## 无效尝试

- **** — Setting ssl.endpoint.identification.algorithm to empty disables hostname verification but does not fix the missing certificate chain. (70% 失败率)
- **** — Restarting the client or broker does not install missing CA certificates. (95% 失败率)