Setup for TLS/SSL encryption

If you are using TLS/SSL encryption, you need to select a method to resolve SSL hostname verification failure.

If TLS encryption is used and a client connects to the load balancer host, the SSL hostname verification fails on the Kafka client side, because the client compares the hostnames in the broker certificates with the actual hostnames that are used in bootstrap.servers for the connection.

You can use one of the following methods to prevent an SSL hostname verification failure.

  • Using Subject Alternative Name (SAN) in the certificates

    The optimal solution for the SSL hostname verification is to add the load balancer hostname as a SAN to the certificates of each broker.

  • Using wildcard certificates

    If the load balancer and the brokers are in the same domain, you can also use wildcard certificates where it is not needed to enumerate the brokers and the load balancer one by one. Ensure you include the domain in the certificate.

  • Disabling hostname verification on the client side

    If modifying the certificates is a big effort, it is also possible to disable the hostname verification on the Kafka client side. The clients should include an empty string for the SSL algorithm: