Page MenuHomePhabricator
Paste P17334

Confluent kafka python with SSL and hostname verification
ActivePublic
Actions

Authored by dcausse on Sep 28 2021, 8:27 AM.
from confluent_kafka import Consumer
c = Consumer({
'bootstrap.servers': 'SSL://kafka-main1002.eqiad.wmnet:9093',
'security.protocol': 'SSL',
'group.id': 'test-confluent',
'ssl.endpoint.identification.algorithm': 'HTTPS', # unset by default disabling hostname verification
'ssl.ca.location': '/etc/ssl/certs/ca-certificates.crt' # optional librdkafka seems to load it by default
})
meta = c.list_topics()
print(meta.brokers)

Event Timeline

dcausse created this paste.Sep 28 2021, 8:27 AM

failure is:

%3|1632817492.690|FAIL|rdkafka#consumer-1| [thrd:ssl://kafka-main1002.eqiad.wmnet:9093/bootstrap]: ssl://kafka-main1002.eqiad.wmnet:9093/bootstrap: SSL handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed: broker certificate could not be verified, verify that ssl.ca.location is correctly configured or root CA certificates are installed (install ca-certificates package) (after 7ms in state SSL_HANDSHAKE, 1 identical error(s) suppressed)
dcausse mentioned this in T291905: Allow kafka clients to verify brokers hostnames when using SSL.Sep 28 2021, 8:47 AM
dcausse edited the content of this paste. (Show Details)Sep 28 2021, 8:49 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL