michaeljmarshall commented on PR #19455:
URL: https://github.com/apache/pulsar/pull/19455#issuecomment-1427397180
Thanks for taking a look @lhotari! That fixed some of the errors, but I
found another one that was my own fault. Analysis follows:
Got this error again:
```
Error:
testAuthorizedUserAsOriginalPrincipal(org.apache.pulsar.client.impl.AdminApiKeyStoreTlsAuthTest)
Time elapsed: 0.203 s <<< FAILURE!
org.apache.pulsar.client.admin.PulsarAdminException:
java.util.concurrent.CompletionException:
org.apache.pulsar.client.admin.internal.http.AsyncHttpConnector$RetryException:
Could not complete the operation. Number of retries has been exhausted. Failed
reason: Received fatal alert: certificate_unknown
```
After digging into it a bit more, I discovered the issue was introduced
16a7cc04cb89fed083c37b8e17287949535d4940. The problem was pretty subtle. I
accidentally generated a new client cert and put that cert in the
`proxy-and-client.truststore.jks`. However, I didn't commit the updated
`client.keystore.jks`, so I ended up with a mismatch.
My first mistake was assuming that `certificate_unknown` was a client error.
I should have realized that the `Number of retries has been exhausted` actually
pointed at a server side error. Specifically, the server didn't trust the
certificate.
This test was passing locally because I had the correct client private key
locally, but I had chosen (poorly) to not commit it.
Also, I made things "worse" by disable insecure TLS connections. With my
latest commit, the tests in `AdminApiKeyStoreTlsAuthTest` should pass.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
