confluent kafka python - certificate verification

Question

I used simple producer on Windows, but when I tried it to run on Ubuntu I got:

SSL handshake failed: error:0A000086:SSL routines::certificate verify failed: broker certificate could not be verified, verify that ssl.ca.location is correctly configured or root CA certificates are installed (install ca-certificates package) (after 5ms in state SSL_HANDSHAKE)

librdkafka docs said about ssl.ca.location:

File or directory path to CA certificate(s) for verifying the broker's key. Defaults: On Windows the system's CA certificates are automatically looked up in the Windows Root certificate store. On Linux install the distribution's ca-certificates package.

I didn't find any info how to get right certificate from Windows certificate store & transfer it to Ubuntu server. Can you help me how to get right certificate and make producer work on Ubuntu, please?

from confluent_kafka import Producer
kafka_config = {
'bootstrap.servers': 'kafka...:9092, ... , kafka:9092',
'client.id': socket.gethostname(),
'security.protocol': 'SSL',
'ssl.key.location': '/path/to/kafka-keystore.key.pem',
'ssl.key.password': '12345',
'ssl.certificate.location': '/path/to/kafka-keystore.crt.pem'
}
producer = Producer(kafka_config)

Answer 1

I imported .cer file from .jks via Keystore Explorer and put path to it in ssl.ca.location.

Answer 2

Probably your certificate is not using the hostname, recently they changed the default behavior to validate the hostname on the certificate as well. To set the previous behavior, pass the following

config: 'ssl.endpoint.identification.algorithm': 'none'.

Your final config will be something like this:

kafka_config = {
'bootstrap.servers': 'kafka...:9092, ... , kafka:9092',
'client.id': socket.gethostname(),
'security.protocol': 'SSL',
'ssl.key.location': '/path/to/kafka-keystore.key.pem',
'ssl.key.password': '12345',
'ssl.certificate.location': '/path/to/kafka-keystore.crt.pem',
'ssl.endpoint.identification.algorithm': 'none'
}