Hello, I am in the process of setting up a kafka cluster which is configured to use KRaft. There is a set of three controller nodes and a set of six brokers. Both the controllers and the brokers are configured to use mTLS (Mutual TLS). So the part of the controller config looks like:
listeners=CONTROLLER://:9097 listener.security.protocol.map=CONTROLLER:SSL controller.listener.names=CONTROLLER Now the certificates initially were missing a SAN that corresponded to the fqdn of the nodes. The fqdn was used in creating the controller quorum voters config. When the controllers started up I did not see any errors or issues. When the brokers started up I saw a couple of SSL connection errors when it tried to connect to the controllers, giving the controller hostname was missing from the SAN of the certificate. But the whole cluster seemed to function normally. No other errors and everything was in sync. And the kafka-metadata-quorum.sh ... describe --status showed the correct status of the controllers and the brokers. I fixed the SAN in the cert and the errors went away on the brokers. My question is if the certs prevented the SSL connection from being established between the brokers and the controllers, or even between the controllers, is there some fallback that was used? PLAINTEXT or was some of the validation skipped? Thanks! ttyl Dima
