broker certificate could not be verified, verify that ssl.ca.location is correctly configured

[pnik073]

Discussed in #4204

Error

When I try to establish SSL connection on our consumer we are failing with error:

%3|1730380644.677|FAIL|rdkafka#consumer-2| [thrd:ssl://some-hostname.net:9093/bootstrap]: ssl://some-hostname.net:9093/bootstrap: SSL handshake failed: error:0A000086:SSL routines::certificate verify failed: broker certificate could not be verified, verify that ssl.ca.location is correctly configured or root CA certificates are installed (install ca-certificates package) (after 622ms in state SSL_HANDSHAKE)

It is very difficult to find documentation about the issue, so I hope you would be able to help.

SSL Configuration

{
  "security.protocol": "SSL",
  # 'ssl.endpoint.identification.algorithm': 'none', # Also tried
  "ssl.ca.location": "/certs/cacerts.pem",
  "ssl.certificate.location": "/certs/tls.crt",
  "ssl.key.location": "/certs/tls.key",
}

Troubleshooting

As suggested in #4204 we tried

sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=0/' /usr/lib/ssl/openssl.cnf did not help

and

openssl s_client -connect some-hostname.net:9093 -tls1_2 -servername some-hostname.net -cert /certs/tls.crt -key /certs/tls.key -CAfile /certs/cacerts.pem

returns this

---
SSL handshake has read 7818 bytes and written 2717 bytes
Verification error: self-signed certificate in certificate chain
---

Environment

Ubuntu 22.04 in docker container

[emasab]

Hi ssl.endpoint.identification.algorithm checks or doesn't check that broker certificate CN corresponds to its hostname, but the certificate must still be a trusted one. Please make user that that self-signed certificate is included in cacerts.pem. Try making it work with the openssl s_client first.