No subject alternative DNS name matching Error in Clients

[raghavendra-bhat-maersk]

Hi Team,

We are using strimzi default certificates and enabled TLS. But while producing getting bellow hostname verification error:

Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching cdtweurope.digital.net found.

So we tried disabling the hostname verification as shown below:

listeners:
  - name: external
    port: 9094
    type: ingress
    tls: true
    authentication:
      type: scram-sha-512
      disableTlsHostnameVerification: true
    configuration:
      bootstrap:
           host: cdtweurope.digital.net

But when we describe the Kafka CR the change is applied with a Warning as shown below:

Listeners:
  Authentication:
    Disable Tls Hostname Verification:  true
    Type:                               scram-sha-512
  Configuration:
    Bootstrap:

Status: True
Type: Ready
Last Transition Time: 2023-01-19T12:20:32.357885Z
Message: Contains object at path spec.kafka.listeners.auth with an unknown property: disableTlsHostnameVerification
Reason: UnknownFields
Status: True
Type: Warning

Anyway root issue still exists, we are still getting the same error (No subject alternative DNS name matching) in producer. Could you please let me know what is wrong here? Is disableTlsHostnameVerification is not a valid parameter while using Ingress to expose?

Regards,
Raghav

[scholzj]

Well, as the warning message clearly tells you, you are making your own options that do not exist. That is not how it works that you just add something to the YAML and it magically starts working. You can find the supported options in the documentation - in the API reference.

You did not share any logs, so it is not clear why is it happening. But if your client has problems with TLS hostname verification, you have to disable it in your client. In the official Java clients, you can use this options: https://kafka.apache.org/documentation/#consumerconfigs_ssl.endpoint.identification.algorithm