Failed authentication due to: SSL handshake failed

Hi
i have an issue on start this command for list topics.

zookeeper and kafka seems ok

/opt/kafka/bin/kafka-topics.sh --list --bootstrap-server 172.17.0.2:9093 --command-config /opt/kafka/config/client.properties
[2021-12-20 16:40:28,231] ERROR [AdminClient clientId=adminclient-1] Connection to node -1 (172.17.0.2/172.17.0.2:9093) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2021-12-20 16:40:28,233] WARN [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error (org.apache.kafka.clients.admin.internals.AdminMetadataManager)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names present

my client.properties

security.protocol=SASL_SSL
ssl.truststore.location=/opt/kafka/certs/kafka.client.truststore.jks
ssl.truststore.password=password
sasl.mechanism=PLAIN

sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="password";

On server side :

server.properties

... 
## SSL

// Enable SSL security protocol for inter-broker communication
listeners=SSL://:9093,SASL_SSL://:9094
security.inter.broker.protocol=SSL
ssl.client.authentication=required

sasl.mechanism.inter.broker.protocol=PLAIN
ssl.endpoint.identification.algorithm=
advertised.listeners=SSL://:9093,SASL_SSL://server:9094
listener.security.protocol.map=SSL:SSL,SASL_SSL:SASL_SSL

// Broker security settings
ssl.truststore.location=/opt/kafka/certs/kafka.server.truststore.jks
ssl.truststore.password={{sslpassword}}
ssl.keystore.location=/opt/kafka/certs/kafka.server.keystore.jks
ssl.keystore.password={{sslpassword}}
ssl.key.password={{sslpassword}}
sasl.enabled.mechanisms=PLAIN
...

zookeeper_jaas.conf

Client {
    org.apache.zookeeper.server.auth.DigestLoginModule required
    username="admin"
    password="password";
};

Server {
    org.apache.zookeeper.server.auth.DigestLoginModule required
    user_admin="password";
};

kafka_jaas.conf

KafkaServer {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    username="admin"
    password="password"
    user_admin="password";
};

KafkaClient {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    username="admin"
    password="password";
};

Client {
    org.apache.zookeeper.server.auth.DigestLoginModule required
    username="admin"
    password="password";
};

zookeeper.properties

admin.enableServer=false
clientPort=2181
dataDir=/tmp/zookeeper
maxClientCnxns=0

# custom for AD bellow this line
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl

at the end of kafka server start

export KAFKA_OPTS="-Djava.security.auth.login.config=/opt/kafka/config/kafka_jaas.conf"

at the end of zookeeper server start

export KAFKA_OPTS="-Djava.security.auth.login.config=$base_dir/../config/zookeeper_jaas.conf"

Certificats

keytool -keystore kafka.server.keystore.jks -alias localhost -keyalg RSA -validity 365 -genkey -storepass $pass -keypass $pass -dname "CN=172.17.0.2" -ext SAN=IP:172.17.0.2

so only my keystore have the alt name

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: caroot
Creation date: Dec 20, 2021
Entry type: trustedCertEntry

Owner: CN=server, O=AD, L=Chill, ST=IDF, C=FR
Issuer: CN=server, O=AD, L=Chilly, ST=IDF, C=FR
...

Alias name: localhost
Creation date: Dec 20, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=172.17.0.2
Issuer: CN=server, O=AD, L=Chill, ST=IDF, C=FR
...
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
Certificate[2]:
Owner: CN=server, O=AD, L=Chil, ST=IDF, C=FR
Issuer: CN=server, O=AD, L=Chill, ST=IDF, C=FR
...
`` `