Setup for TLS/SSL encryption
If you are using TLS/SSL encryption, you need to select a method to resolve SSL hostname verification failure.
If TLS encryption is used and a client connects to the load balancer host, the SSL hostname
verification fails on the Kafka client side, because the client compares the hostnames in the
broker certificates with the actual hostnames that are used in
bootstrap.servers for the connection.
You can use one of the following methods to prevent an SSL hostname verification failure.
Using Subject Alternative Name (SAN) in the certificates
The optimal solution for the SSL hostname verification is to add the load balancer hostname as a SAN to the certificates of each broker.
Using wildcard certificates
If the load balancer and the brokers are in the same domain, you can also use wildcard certificates where it is not needed to enumerate the brokers and the load balancer one by one. Ensure you include the domain in the certificate.
Disabling hostname verification on the client side
If modifying the certificates is a big effort, it is also possible to disable the hostname verification on the Kafka client side. The clients should include an empty string for the SSL algorithm: