No name matching in AKHQ

Question

Getting No name matching error while connecting to kafka from AKHQ

2022-04-11 09:15:35,806 WARN  inclient-2 c.a.i.AdminMetadataManager [AdminClient clientId=adminclient-2] Metadata update failed due to authentication error
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: No name matching ppe.kafka.tnt.dev.euw.azure.tesco.org found
      at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
      at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
      at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
      at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)
      at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
      at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
      at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
      at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
      at java.base/java.security.AccessController.doPrivileged(Native Method)
      at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(Unknown Source)
      at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:430)
      at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:514)
      at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:368)
      at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:291)
      at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178)
      at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543)
      at org.apache.kafka.common.network.Selector.poll(Selector.java:481)
      at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:551)
      at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1389)
      at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1320)
      at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertificateException: No name matching test.server.host.name found
      at java.base/sun.security.util.HostnameChecker.matchDNS(Unknown Source)
      at java.base/sun.security.util.HostnameChecker.match(Unknown Source)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
      ... 20 common frames omitted

Answer 1

This happens when the Kafka server's certificate does not match the hostname. We could set ssl.endpoint.identification.algorithm to an empty string to disable hostname verification.

The endpoint identification algorithm used by clients to validate server host name. The default value is https. Clients including client connections created by the broker for inter-broker communication verify that the broker host name matches the host name in the broker’s certificate. Disable server host name verification by setting ssl.endpoint.identification.algorithm to an empty string

https://docs.confluent.io/platform/current/kafka/authentication_ssl.html#optional-settings