On 2022-04-06 14:54, René Buffat wrote:
javax.net.ssl.SSLPeerUnverifiedException: Certificate for
<kafka_ssl-zookeeper2-1.kafka_ssl_default> doesn't match common name of
the
certificate subject: zookeeper2
java.security.cert.CertificateException: Failed to verify both host
address
and host name
Generally speaking, I have never heard of anything SSL-related that
looks at or cares about reverse DNS.
What should matter is what the CN (or SAN, for certificates that handle
multiple names) is, and what hostname the client is using to connect to
the server. Those have to match. When using SSL, you do not want to
specify an IP address for the host, you want to give it a name, because
it is very unlikely that you'll see an IP address in a certificate
unless you create it with a private CA.
If reverse DNS is the only place that the longer name appears, then
either the SSL verification is entirely too picky, or you have given the
client an IP address for the server instead of a name, and it is looking
up the reverse DNS so that it has a name to compare to the cert. I have
no idea whether the ZK client (or maybe Java itself) does this, but it
wouldn't surprise me.
Thanks,
Shawn
