Date
1 - 2 of 2
Broker Hostname mismatch error seen with aiokafka APIs
udaykumartj@...
Hi all,
I am getting the below error for the code (which uses aiokafka APIs) that i have pasted below (also provided kafka resource yaml snippet). Instead of kafka broker hostname, if i give IP address, it works. Not sure why kafka broker (dns) hostname is not working. Please help.
Unable connect to "strimzi-kafka-kafka-external-bootstrap.kafka.svc.cluster.local:9094": [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'strimzi-kafka-kafka-external-bootstrap.kafka.svc.cluster.local'. (_ssl.c:1129)
Note: If i use confluent_kafka APIs (Consumer, Producer), i dont see this issue.
Code snippet:
context = create_ssl_context(
I am getting the below error for the code (which uses aiokafka APIs) that i have pasted below (also provided kafka resource yaml snippet). Instead of kafka broker hostname, if i give IP address, it works. Not sure why kafka broker (dns) hostname is not working. Please help.
Unable connect to "strimzi-kafka-kafka-external-bootstrap.kafka.svc.cluster.local:9094": [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'strimzi-kafka-kafka-external-bootstrap.kafka.svc.cluster.local'. (_ssl.c:1129)
Note: If i use confluent_kafka APIs (Consumer, Producer), i dont see this issue.
Code snippet:
context = create_ssl_context(
cafile='/etc/vcerts/cluster/ca.crt',
certfile='/etc/vcerts/client/user.crt',
keyfile='/etc/vcerts/client/user.key',
)
consumer = AIOKafkaConsumer(
my_topic, bootstrap_servers='strimzi-kafka-kafka-external-bootstrap.kafka.svc.cluster.local:9094',
auto_offset_reset='latest',
group_id=group_id,
security_protocol="SSL",
ssl_context=context)
await consumer.start() <=== This line throws the above error.
Kafka spec:
Kafka spec:
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
name: strimzi-kafka
spec:
kafka:
version: 3.0.0
replicas: 3
listeners:
- name: plain
port: 9092
type: internal
tls: false
- name: tls
port: 9093
type: internal
tls: true
authentication:
type: tls
- name: external
port: 9094
type: loadbalancer
tls: true
authentication:
type: tls
template:
clusterCaCert:
metadata:
....
Jakub Scholz
You are using the external loadbalancer listener with internal service name. That is causing the problem. You should either switch to one of the internal interfaces - e.g. the on on port 9093. Or you should use the proper loadbalancer bootstrap address which you can find in the status section of the Kafka custom resource (`kubectl get kafka -o yaml` should show it for you). In general, if your app runs inside the same Kubernetes, using the internal listener on port 9093 would be the right way to go => it should be cheaper and more performant than going through the loadbalancer. That should be used by apps outside your Kube cluster.
Jakub
On Fri, Feb 4, 2022 at 10:49 AM <udaykumartj@...> wrote:
Hi all,
I am getting the below error for the code (which uses aiokafka APIs) that i have pasted below (also provided kafka resource yaml snippet). Instead of kafka broker hostname, if i give IP address, it works. Not sure why kafka broker (dns) hostname is not working. Please help.
Unable connect to "strimzi-kafka-kafka-external-bootstrap.kafka.svc.cluster.local:9094": [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'strimzi-kafka-kafka-external-bootstrap.kafka.svc.cluster.local'. (_ssl.c:1129)
Note: If i use confluent_kafka APIs (Consumer, Producer), i dont see this issue.
Code snippet:
context = create_ssl_context(cafile='/etc/vcerts/cluster/ca.crt',certfile='/etc/vcerts/client/user.crt',keyfile='/etc/vcerts/client/user.key',)
consumer = AIOKafkaConsumer(my_topic, bootstrap_servers='strimzi-kafka-kafka-external-bootstrap.kafka.svc.cluster.local:9094',auto_offset_reset='latest',group_id=group_id,security_protocol="SSL",ssl_context=context)await consumer.start() <=== This line throws the above error.
Kafka spec:
apiVersion: kafka.strimzi.io/v1beta2kind: Kafkametadata:name: strimzi-kafkaspec:kafka:version: 3.0.0replicas: 3listeners:- name: plainport: 9092type: internaltls: false- name: tlsport: 9093type: internaltls: trueauthentication:type: tls- name: externalport: 9094type: loadbalancertls: trueauthentication:type: tlstemplate:clusterCaCert:metadata:....