Kafka brokers on the internet will use SSL typically. Connecting to them requires verifying the server's SSL certificate. That verification will only succeed if OpenSSL thinks the certificate looks legit, which will only succeed if the cert is signed by a known-good certificate authority. OpenSSL's set of known-good certificate authorities is determined by librdkafka, which should be compiled with a pass to the OS's trust store.
On some platforms (notably CentOS 7), the librdkafka doesn't know where the trust store is, so it can't verify server certificates. This leads to confusing behavior for clients.
Updating root certificates is usually an OS-specific maneuver, but certifi is a Python package which distributes Mozilla's set of known-good certificate authority identities. This package is up-to-date and
well-maintained, so using it should improve our package's portability.
By default, we can use certifi's bundle of certs, and then most brokers with legitimate SSL server certificates will be verified correctly.
It's still possible to override this choice if a user has a self-signed certificate or something strange.
Kafka brokers on the internet will use SSL typically. Connecting to them requires verifying the server's SSL certificate. That verification will only succeed if OpenSSL thinks the certificate looks legit, which will only succeed if the cert is signed by a known-good certificate authority. OpenSSL's set of known-good certificate authorities is determined by
librdkafka, which should be compiled with a pass to the OS's trust store.On some platforms (notably CentOS 7), the
librdkafkadoesn't know where the trust store is, so it can't verify server certificates. This leads to confusing behavior for clients.Updating root certificates is usually an OS-specific maneuver, but
certifiis a Python package which distributes Mozilla's set of known-good certificate authority identities. This package is up-to-date and well-maintained, so using it should improve our package's portability.By default, we can use certifi's bundle of certs, and then most brokers with legitimate SSL server certificates will be verified correctly.
It's still possible to override this choice if a user has a self-signed certificate or something strange.