GitHub user michaeljmarshall added a comment to the discussion: How to get OpenID Connect to work.
It looks like this issue was also created here https://stackoverflow.com/questions/76631732/apache-pulsar-unable-to-validate-issuer-certificate-when-attempting-to-load-open. I provided an answer here https://stackoverflow.com/a/76632625/21221450 and improved the docs here https://github.com/apache/pulsar-site/pull/632. Here is a copy of the stack overflow answer: > In the example broker.conf it says that the > "openIDTokenIssuerTrustCertsFilePath" is an optional setting and that > it will use the trust store of the JVM. So I ensured that the required > certificates where added to the trust store found at > ".../jre/lib/security/cacerts" on my broker instance and left that > config value as blank. It will work correctly when you remove the `openIDTokenIssuerTrustCertsFilePath=` from your `broker.conf` file. Having a blank `openIDTokenIssuerTrustCertsFilePath=` is incorrectly configuring the provider to attempt to load the `""` file, which explains the unhelpful error message. Note: https://github.com/apache/pulsar/pull/20745 should improve the behavior in a future release of pulsar by interpreting an empty configuration as using the OS's trust store. > Caused by: java.security.cert.CertificateException: found no certificates in > input stream In my testing, I observed this same error when the file was not in PEM format. I verified that the feature does work for custom trust stores configured using correctly formated files with these modified tests: https://github.com/apache/pulsar/pull/20746. Here is my full stack trace for the incorrectly formatted ca cert: ``` java.lang.IllegalArgumentException: File does not contain valid certificates: /Users/michaelmarshall/dev/apache/pulsar/pulsar-broker-auth-oidc/target/test-classes/certificate-authority/jks/broker.keystore.jks at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:261) at org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID.initialize(AuthenticationProviderOpenID.java:172) at org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenIDIntegrationTest.testKidCacheMissWhenRefreshConfigZero(AuthenticationProviderOpenIDIntegrationTest.java:347) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.testng.internal.invokers.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:139) at org.testng.internal.invokers.TestInvoker.invokeMethod(TestInvoker.java:677) at org.testng.internal.invokers.TestInvoker.invokeTestMethod(TestInvoker.java:221) at org.testng.internal.invokers.MethodRunner.runInSequence(MethodRunner.java:50) at org.testng.internal.invokers.TestInvoker$MethodInvocationAgent.invoke(TestInvoker.java:969) at org.testng.internal.invokers.TestInvoker.invokeTestMethods(TestInvoker.java:194) at org.testng.internal.invokers.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:148) at org.testng.internal.invokers.TestMethodWorker.run(TestMethodWorker.java:128) at java.base/java.util.ArrayList.forEach(ArrayList.java:1511) at org.testng.TestRunner.privateRun(TestRunner.java:829) at org.testng.TestRunner.run(TestRunner.java:602) at org.testng.SuiteRunner.runTest(SuiteRunner.java:437) at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:431) at org.testng.SuiteRunner.privateRun(SuiteRunner.java:391) at org.testng.SuiteRunner.run(SuiteRunner.java:330) at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52) at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:95) at org.testng.TestNG.runSuitesSequentially(TestNG.java:1256) at org.testng.TestNG.runSuitesLocally(TestNG.java:1176) at org.testng.TestNG.runSuites(TestNG.java:1099) at org.testng.TestNG.run(TestNG.java:1067) at com.intellij.rt.testng.IDEARemoteTestNG.run(IDEARemoteTestNG.java:66) at com.intellij.rt.testng.RemoteTestNGStarter.main(RemoteTestNGStarter.java:105) Caused by: java.security.cert.CertificateException: found no certificates in input stream at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:107) at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:63) at io.netty.handler.ssl.SslContext.toX509Certificates(SslContext.java:1219) at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:259) ... 29 more ``` GitHub link: https://github.com/apache/pulsar/discussions/20743#discussioncomment-6673719 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
