ZooKeeper certificate doesn’t match common name of the subject

The exception looks like this:

Caused by: java.security.cert.CertificateException: 
Failed to verify both host address and host name

Caused by: javax.net.ssl.SSLPeerUnverifiedException: 
Certificate for <...hostname...> doesn't match common name 
of the certificate subject: <...subject name...>.

This is because the CN (Common Name) field of the certificate must match the hostname where the certificate will be installed. If it is problematic to reissue certificates, you can disable this check for test environments.

ZooKeeper Java client

There are several ways to configure SSL, you can learn about them in the section of the same name in this article.

Global properties

System.setProperty("zookeeper.ssl.hostnameVerification", "false")

Individual configuration

ZKClientConfig zkClientConfig = new ZKClientConfig();
zkClientconfig.setProperty("zookeeper.ssl.hostnameVerification", "false");
…
ZooKeeper zooKeeper = new ZooKeeper("...");

ZooKeeper CLI

The “-Dzookeeper.ssl.hostnameVerification = false” key must be added to the startup script /bin/zkCli.sh or /bin/zkCli.cmd. You can read more about adding keys to zkCli in the “Configuring ZooKeeper CLI” section of this article.

If you still have any questions, feel free to ask me in the comments under this article, or write me on promark33@gmail.com.

Leave a Reply

Your email address will not be published. Required fields are marked *

                   Mark Chesnavsky. Email me or connect via LinkedIn.