Hi everyone, for some days now, I am trying to wrap my head around TLS encryption for the quorum-traffic. The hosts running Zookeeper do have a publicly available DNS name and I am using those to issue SSL certificates from Let's Encrypt. This seems to work - but it seems like Zookeeper decides to validate the SSL certificates against the IP(v6) of the connecting nodes instead of their hostnames.
In the `zookeeper.properties` of all my 3 nodes, I have set the servers by their DNS names like this: ``` server.1=zookeeper1.ourdomain.cloud:2888:3888 server.2=zookeeper2.ourdomain.cloud:2888:3888 server.3=zookeeper3.ourdomain.cloud:2888:3888 ``` I requested SSL certificates from Let's Encrypt for these DNS names and added the certificate/key pairs to the Keystores of the nodes. In the logs of the `zookeeper2` node, I now see something like this when the `zookeeper3` node tries to connect: ``` [2021-10-13 15:13:49,960] INFO Received connection request from /2a01:--CUT--:750:47566 (org.apache.zookeeper.server.quorum.QuorumCnxManager) [2021-10-13 15:13:50,094] ERROR Failed to verify host address: 2a01:--CUT--:750 (org.apache.zookeeper.common.ZKTrustManager) javax.net.ssl.SSLPeerUnverifiedException: Certificate for <2a01:--CUT--:750> doesn't match any of the subject alternative names: [zookeeper3.ourdomain.cloud] ``` Zookeeper seems to ignore the hostnames and complains about that the IPv6 is not listed in the SNA of the presented certificate. Since most open CAs do not sign IP addresses (Let's Encrypt does not do that at all, ZeroSSL only for http auth, etc.), this behaviour enforces me to have an internal CA and work with self signed certificates; including all the negative things that come with it and a lot of extra effort. How can I make Zookeeper to resolve this correctly? Best regards, Marc
