Loading

Kafka Connector | SSL Handshake failure when no subject alternative names matching IP address found

Veröffentlichungsdatum: Feb 28, 2025
Lösung

SYMPTOM

When deploying an application containing the Kafka connector, the test connection during deployment fails with the error:
  
INFO 2024-02-02 16:18:29,573 [[MuleRuntime].uber.03: [xxxxx].uber@org.mule.runtime.core.internal.connection.DefaultConnectivityTesterFactory$1.testConnectivity:81 @271f6a24] [processor: ; event: ] org.mule.runtime.core.internal.connection.DefaultConnectivityTesterFactory: Connectivity test failed for config 'Apache_Kafka_Consumer_configuration'. Application deployment will continue. Error was: SSL handshake failed
org.mule.runtime.api.connection.ConnectionException: SSL handshake failed
Caused by: org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 100.121.212.42 found
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:1.8.0_362]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324) ~[?:1.8.0_362]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) ~[?:1.8.0_362]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262) ~[?:1.8.0_362]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) ~[?:1.8.0_362]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:1.8.0_362]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:1.8.0_362]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) ~[?:1.8.0_362]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:1.8.0_362]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981) ~[?:1.8.0_362]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968) ~[?:1.8.0_362]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_362]
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915) ~[?:1.8.0_362]
The same error is seen when the application is deployed and any attempts to process a message are made.

CAUSE

The reason why this fails is because the hostname of the Kafka server and the certificate common name (CN) do not match.

SOLUTION

You need explicitly disable the Endpoint Identification Algorithm in the connector configuration so that the server hostname will not be validated.
 
User-added image

You can validate that this has been disable by checking for the parameter ssl.endpoint.identification.algorithm in your application logs. It will have no value as follows:

ssl.endpoint.identification.algorithm=
Nummer des Knowledge-Artikels

001117249

 
Laden
Salesforce Help | Article