SSL handshake fails on Mac

Roger Johansson asked:

Some background.
I’m trying to connect to Confluents Kafka Clound using the .NET driver, internally that uses the native RdKafka machinery.

From my machine, the connection fails with a

rdkafka#producer-1| [thrd:sasl_ssl://url_to_cluster: sasl_ssl://url_to_bootstrap: SSL handshake failed: s3_clnt.c:1269: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed: (after 75ms in state CONNECT)

The client has a EnableSslCertificateVerification property and if I set that to false it all works fine.

But ignore the .NET and Kafka related info here, just background.
What on my machine is involved here?
Am I missing some form of certs locally?

I do have openssl installed, which afaik trusts a bunch of root certs by default.

It works fine for all coworkers, even mac users on the latest OS updates.
It also works on my machine if I run it from within Docker.

What can I check to resolve this?

My answer:

You need to have installed the CA certificate that the server’s TLS certificate was signed with. You didn’t provide that information, but you can check the server’s configuration easily enough, e.g.:

openssl s_client -connect <server>:<port> -showcerts

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.