Re: Broker Hostname mismatch error seen with aiokafka APIs


Jakub Scholz
 

You are using the external loadbalancer listener with internal service name. That is causing the problem. You should either switch to one of the internal interfaces - e.g. the on on port 9093. Or you should use the proper loadbalancer bootstrap address which you can find in the status section of the Kafka custom resource (`kubectl get kafka -o yaml` should show it for you). In general, if your app runs inside the same Kubernetes, using the internal listener on port 9093 would be the right way to go => it should be cheaper and more performant than going through the loadbalancer. That should be used by apps outside your Kube cluster.

Jakub

On Fri, Feb 4, 2022 at 10:49 AM <udaykumartj@...> wrote:
Hi all,
I am getting the below error for the code (which uses aiokafka APIs) that i have pasted below (also provided kafka resource yaml snippet). Instead of kafka broker hostname, if i give IP address, it works. Not sure why kafka broker (dns) hostname is not working. Please help.

Unable connect to "strimzi-kafka-kafka-external-bootstrap.kafka.svc.cluster.local:9094": [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'strimzi-kafka-kafka-external-bootstrap.kafka.svc.cluster.local'. (_ssl.c:1129)

Note: If i use confluent_kafka APIs (Consumer, Producer), i dont see this issue.

Code snippet:
 context = create_ssl_context(
      cafile='/etc/vcerts/cluster/ca.crt',
      certfile='/etc/vcerts/client/user.crt',
      keyfile='/etc/vcerts/client/user.key',
  )

consumer = AIOKafkaConsumer(
      my_topic, bootstrap_servers='strimzi-kafka-kafka-external-bootstrap.kafka.svc.cluster.local:9094',
      auto_offset_reset='latest',
      group_id=group_id,
      security_protocol="SSL",
      ssl_context=context)

  await consumer.start() <=== This line throws the above error.

Kafka spec:
kind: Kafka
metadata:
  name: strimzi-kafka
spec:
  kafka:
    version: 3.0.0
    replicas: 3
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls
      - name: external
        port: 9094
        type: loadbalancer
        tls: true
        authentication:
          type: tls
    template:
      clusterCaCert:
        metadata:
....
 

Join cncf-strimzi-users@lists.cncf.io to automatically receive all group messages.