kafka staging: Unable to connect to the internal SASL listener
When a consumer tries to connect using the INTERNAL_SALS authentication, this error is returned:
vsellier@storage1 ~ % /opt/kafka/bin/kafka-topics.sh --bootstrap-server journal1.internal.staging.swh.network:9094 --command-config kafka.properties --list
[2023-03-21 17:14:34,443] ERROR [AdminClient clientId=adminclient-1] Connection to node 2 (storage1.internal.staging.swh.network/192.168.130.41:9094) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2023-03-21 17:14:34,445] WARN [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error (org.apache.kafka.clients.admin.internals.AdminMetadataManager)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching storage1.internal.staging.swh.network found.
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)It's due to the fact the advertised configuration is announced for storage1.internal.staging.swh.network and the certificate configured for journal1.internal.staging.swh.network (kafka broker CNAME)
Kafka configuration:
advertised.listeners=INTERNAL_PLAINTEXT://storage1.internal.staging.swh.network:9092,INTERNAL://storage1.internal.staging.swh.network:9094,EXTERNAL://broker1.journal.staging.swh.network:9093Certificate:
vsellier@storage1 ~ % echo | openssl s_client -showcerts -connect $(hostname -f):9094 | openssl x509 -text
...
X509v3 Subject Alternative Name:
DNS:broker1.journal.staging.swh.network, DNS:journal1.internal.staging.s
...Edited by Vincent Sellier