Deploying kafka trigger to Windows Premium app using eventhubs kafka heads gives ssl cert error

[hannesne]

I'm getting the following error in my logs when deployed to a windows based Premium function app: sasl_ssl://hnltestbkend3wepfx-std.servicebus.windows.net:9093/bootstrap: SSL handshake failed: .\ssl\s3_clnt.c:1269: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Any idea how to fix this?

[TsuyoshiUshio]

Hi @hannesne Sorry for inconvenience. It looks the bug of the libkafka. It happens only on Premium (Windows). When I test my PC on Windows, it works. Probably related this issue. https://github.com/edenhill/librdkafka/issues/3025

https://github.com/confluentinc/confluent-kafka-dotnet/issues/1374

For the work around, You can do like this. I tested, and it works with EventHubs and Premium Windows

1. Add SslCaLocation

    [KafkaTrigger(
            "LocalBroker",
            "%EHTOPIC%",
            ConsumerGroup = "$Default",
            Username = "$ConnectionString",
            Password = "%EventHubConnectionString%",
            Protocol = BrokerProtocol.SaslSsl,
            SslCaLocation = "cacert.pem",                                      // <- Added this line.
            AuthenticationMode = BrokerAuthenticationMode.Plain)] KafkaEventData<string> kafkaEvent,

cacert.pem on your project with Copy always.

The certificate is for EventHubs. That is already included on the NuGet package. I tested with

    <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.Kafka" Version="3.1.0" />

[TsuyoshiUshio]

I also tested with Confluent Cloud. It was the same. For the Confluent Cloud,

1. Download CA certificate (i.e. from https://curl.haxx.se/ca/cacert.pem).
2. Rename the cacert.pem to confluent_cloud_cacert.pem avoid conflict with existing EventHubs Kafka certificate that is part of the extension.
3. Include the file in the project, setting "copy always"
4. Set SslCaLocation = "confluent_cloud_cacert.pem",