What causes SslAuthenticationException?

TLS handshake failed: the broker certificate is not trusted by the client truststore, or is expired Hostname verification failed — the certificate CN/SAN does not match the broker hostname and ssl.endpoint.identification.algorithm is https Mutual TLS misconfiguration: missing/incorrect client keystore, or the broker requires client auth (ssl.client.auth=required) and the client presents no cert

How do I fix SslAuthenticationException?

Import the broker/CA certificate into the client ssl.truststore.location and verify the chain with keytool -list Ensure the broker certificate SAN includes the advertised hostname, or (only for testing) set ssl.endpoint.identification.algorithm to an empty string to disable hostname checks For mTLS, configure ssl.keystore.location/password on the client and confirm the cert is signed by a CA the broker trusts

Is SslAuthenticationException retriable?

No — SslAuthenticationException is not retriable. Retrying the same call will not help; the underlying cause must be fixed first.

Kafka Exception `SslAuthenticationException`

org.apache.kafka.common.errors.SslAuthenticationException

Non-retriable Security

This exception indicates that SSL handshake has failed. See getCause() for the SSLException that caused this failure. SSL handshake failures in clients may indicate client authentication failure due to untrusted certificates if server is configured to request client certificates. Handshake failures could also indicate misconfigured security including protocol/cipher suite mismatch, server certificate authentication failure or server host name verification failure.

Common Causes

TLS handshake failed: the broker certificate is not trusted by the client truststore, or is expired
Hostname verification failed — the certificate CN/SAN does not match the broker hostname and ssl.endpoint.identification.algorithm is https
Mutual TLS misconfiguration: missing/incorrect client keystore, or the broker requires client auth (ssl.client.auth=required) and the client presents no cert

Solutions

Import the broker/CA certificate into the client ssl.truststore.location and verify the chain with keytool -list
Ensure the broker certificate SAN includes the advertised hostname, or (only for testing) set ssl.endpoint.identification.algorithm to an empty string to disable hostname checks
For mTLS, configure ssl.keystore.location/password on the client and confirm the cert is signed by a CA the broker trusts

Example Stack Trace

org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Diagnostic Commands

# Inspect the broker's presented certificate chain
openssl s_client -connect localhost:9093 -servername localhost </dev/null 2>/dev/null | openssl x509 -noout -subject -dates

Hitting SslAuthenticationException in production? Conduktor Console gives you real-time visibility into clients, consumer groups, and broker health. Browse every Kafka exception or protocol error code.

Kafka Exception SslAuthenticationException

Common Causes

Solutions

Example Stack Trace

Diagnostic Commands

Related

Kafka Exception `SslAuthenticationException`