Configure SSL for sink connectors communicating with 3rd party applications

I am using S3 sink connector. The kafka cluster is in our corporate network. The connection to S3 will be through a proxy. But the connector is throwing the following error when trying to connect with S3.

"id":0,"state":"FAILED","worker_id":"connector:8083","trace":"org.apache.kafka.connect.errors.ConnectException: com.amazonaws.SdkClientException: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at io.confluent.connect.s3.S3SinkTask.start(S3SinkTask.java:138)
    at org.apache.kafka.connect.runtime.WorkerSinkTask.initializeAndStart(WorkerSinkTask.java:308)
    at org.apache.kafka.connect.runtime.WorkerSinkTask.execute(WorkerSinkTask.java:196)
    at org.apache.kafka.connect.runtime.WorkerTask.doRun(WorkerTask.java:182
    at org.apache.kafka.connect.runtime.WorkerTask.run(WorkerTask.java:231)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: com.amazonaws.SdkClientException: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryableException(AmazonHttpClient.java:1207)
    at ... 

If this is a problem with the proxy, there doesn’t seem to be any option to point the connector to the ssl truststore with our corporate CA cert.

I have the connector running inside a container in Kubernetes.

Any way to solve this?

this error normally happens when the proxy is using a self signed cert. The aws library used in the connector needs to be able to verify that the proxy is hosting a valid/trusted certificate. openssl s_client -connect yourproxy.url.com

You may need to manually test what cert the proxy is presenting. if it is self signed you will need to include the root CA from the proxy in your kafka connect connector truststore.