Troubleshoot the Confluent CLI
Quick List: CLI install and operation
- Connectivity issue and misleading error: API key may not be provisioned yet 
- Make sure your firewalls allow connectivity to the required endpoints and ports 
- Check for proxy interference indicated by Error: Certificate signed by unknown authority 
- Identify connectivity to PrivateLink clusters indicated by SSL handshake errors starting with e- 
- Confluent CLI login is limited to user accounts (service accounts cannot be used) 
- Log in with the --organization-id flag to target the correct organization for login 
- Save login credentials or remove config file if you get errors at login 
Quick List: CLI command errors
Solutions for CLI install and operation
Verify the Confluent CLI version
Always verify which Confluent CLI version the you are running, along with operating system (OS) version and architecture. The release notes describe changes for each new version of the Confluent CLI.
- You can check the Confluent CLI version by running: - confluent version
- If the issue persists, and you are not running the latest version of the Confluent CLI, update to the latest minor version: - confluent update- (If you want to update to the latest major version, use the same command with the - --majorflag.) Keep in mind that referenced commands in this Troubleshooting Guide also indicate the current version command names and flags.
- To find the OS and architecture version: - For Linux/macOS or Linux on Windows through WSL, the - unamecommand:- # command uname -a - Sample output: - Darwin C02D367KMD6T 23.6.0 Darwin Kernel Version 23.6.0: Mon Jul 29 21:13:00 PDT 2024; root:xnu-10063.141.2~1/RELEASE_X86_64 x86_64 - For Windows using PowerShell or the Command Prompt: - Find the OS version: - systeminfo | findstr /B /C:"OS Name" /C:"OS Version" 
- Find architecture version: - echo %PROCESSOR_ARCHITECTURE% 
 
Errors at login after Confluent CLI upgrade
If the you get errors after a CLI upgrade, try removing or renaming the file ~/.confluent/config.json
and try to login again with confluent login. Sometimes this file can get corrupted and cause unpredictable errors.
Obtain trace logs
You can get verbose logs by adding the -vvvv flag to commands.
You also can get trace logs by adding the --unsafe-trace flag to a command,
which is equivalent to -vvvv, but also logs HTTP requests and responses
which might contain plaintext secrets. If you use this option, be sure to redact
the secrets before sharing the output with Confluent Support.
Connectivity issue and misleading error: API key may not be provisioned yet
If you see the following error from the Confluent CLI:
Error: failed to obtain topics from client: API key may not be provisioned yet
This error message can be misleading. If the in use API Keys look valid, ask for the verbose output and check for any additional information. Often the real problem is a connectivity issue.
Make sure your firewalls allow connectivity to the required endpoints and ports
When Confluent CLI interacts with Confluent Cloud, it requires network access to the following public domains:
- confluent.cloud(port 443 and 9092 for audit logs)
- login.confluent.iowhen using SSO (port 443)
- api.stripe.comwhen using the confluent billing payment commands
- s3-us-west-2.amazonaws.com/confluent.cloudwhen the update check is enabled
Therefore, make sure that your firewall allows connection to the above endpoints/ports.
The following curl command should return an HTTP 200 response code and some HTTP headers.
curl -X GET --head https://confluent.cloud
If the above command returns any other code or error, then connectivity to the host is the cause of the problem. In that case, check any firewalls or network configurations that may be preventing the Confluent CLI to reach that domain.
Following are some other tests to validate that egress to https://login.confluent.io is allowed:
telnet login.confluent.io 443
openssl s_client -connect login.confluent.io:443
curl -verbose -XPOST "https://login.confluent.io/oauth/token"
If you get the following error when you log in as an SSO user, this usually indicates that the above endpoints/ports are not whitelisted on the firewall.
Error: failed to get oauth token: Post"https://login.confluent.io/oauth/token": EOF
Note that currently the IP address for login.confluent.io is not static and could change anytime.
Identify cluster connection issues
When performing data plane operations like produce/consume, errors like following in the verbose output, indicate that there is an issue related to connecting to the cluster endpoint.
CONNECT|Confluent-CLI_v3.6.0#consumer-1| [thrd:app]: Not selecting any broker for cluster connection: still suppressed for 49ms: application metadata request
The Confluent CLI needs to be able to connect to both the Cluster Bootstrap Endpoint (port 9092) and the REST Endpoint (port 443). You can test connectivity from the host by running the Confluent CLI as described in :cloud|`Test Connectivity to Confluent Cloud|networking/testing.html`.
- If the cluster is private, by default it is possible to connect to the cluster only from an instance inside the VPC. 
- If the host running the Confluent CLI (or the client) is located outside the VPC (an external network or on-premises), you must implement additional network configuration to provide connectivity. 
However, configuring or troubleshooting connections from on-premises or from external networks to Confluent Cloud clusters with private networking implemented, such as VPC Peering, VNet Peering, or Private Links, is outside the support scope, as documented in the “important” information block under Confluent Cloud Support for Self-managed components.
Identify connectivity to PrivateLink clusters indicated by SSL handshake errors starting with e-
If producing or consuming with the Confluent CLI shows SSL handshake errors on v4 broker dns scheme that starts with e-,
such as in the following example:
e-$last2octets-$zoneid-$nid.$region.$cloud.glb.confluent.cloud
This indicates you are trying to perform data plane operations against a “PrivateLink” cluster and either:
- The host may not have connectivity to the cluster. 
Or
- The “PrivateLink” configuration is incorrect. 
Contact Confluent Support for help with PrivateLink troubleshooting.
Confluent CLI login is limited to user accounts (service accounts cannot be used)
Service accounts cannot be used to log in to the Confluent CLI, only user accounts can log in with a user name and password or SSO.
You can use API keys to produce and consume from a topic using using user-agnostic contexts. However, this is limited to produce and consume; for all the other operations, a user login is required.
Log in with the --organization-id flag to target the correct organization for login
A user account can be part of multiple Confluent Cloud organizations.
In such cases, make sure you are attempting logins to the correct organization by adding the --organization-id
flag to confluent login command.
Save login credentials or remove config file if you get errors at login
When you log in to the Confluent CLI with the --save flag, your credentials are stored in $HOME/.confluent/config.json.
This allows you to skip providing your credentials each time you log in.
If you get errors at login for incorrect email, password, or organization ID, contact Confluent Support or file a GitHub issue against the confluentinc/cli.
Verify that .confluent is in your HOME directory
Make sure the following command returns /usr/bin/confluent:
which confluent
.confluent should be located under your HOME directory.
If you have an environment variable set for .confluent, you will see it in the results for this command:
env | grep HOME
Or, use the following command to list all files in your HOME directory , including hidden files preceded by a dot (.).
You should see .confluent listed.
ls -al $HOME
Solutions for command errors
Set active environment for commands that use both region and cloud flags
Confluent Cloud commands that use the --region and cloud flags require an active environment.
For example, when using the command confluent flink region list,
note that confluent flink region list --cloud aws requires an active environment (confluent environment use <environment-ID>).
First, specify the environment you want to use. Then list the regions.
confluent environment use env-abc123
Using environment env-abc123.
confluent flink region list --cloud aws
Current |            Name            | Cloud |     Region
----------+----------------------------+-------+-----------------
         | Canada (ca-central-1)      | AWS   | ca-central-1
         | Frankfurt (eu-central-1)   | AWS   | eu-central-1
         | Ireland (eu-west-1)        | AWS   | eu-west-1
         | London (eu-west-2)         | AWS   | eu-west-2
         | Mumbai (ap-south-1)        | AWS   | ap-south-1
Following is the error you will get when attempting to list regions for a specific --cloud parameter (like aws), without first specifying the current environment:
confluent flink region list --cloud aws
Error: no environment found
Alternatively, confluent flink region list  (without the --cloud flag) does not need an active environment. This command will yield a list of regions, regardless of whether you have specified an active environment.