yuanjingshi opened a new issue #5568: Function worker fails to be authenticated when TLS authentication is enabled in Pulsar standalone URL: https://github.com/apache/pulsar/issues/5568 **Describe the bug** When TLS authentication is enabled in Pulsar 2.4.1 and 2.4.0 and I start Pulsar standalone cluster, it fails to start **To Reproduce** Steps to reproduce the behavior: 1. Follow the Pulsar 2.4.1 TLS encryption and authentication documentation to sign both client and broker certificate. 2. Set below config in Standalone.conf brokerServicePort=6650 brokerServicePortTls=6651 tlsCertRefreshCheckDurationSec=300 tlsCertificateFilePath=/path/to/broker.cert.pem tlsKeyFilePath=/path/to/broker.key-pk8.pem tlsTrustCertsFilePath=/path/to/ca.cert.pem authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls authorizationEnabled=true authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider authorizationAllowWildcardsMatching=false superUserRoles=admin brokerClientTlsEnabled=true brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls brokerClientAuthenticationParameters=tlsCertFile:/path/to/admin.cert.pem,tlsKeyFile:/path/to/admin.key-pk8.pem brokerClientTrustCertsFilePath=/path/to/ca.cert.pem 3. In function_worker.yml pulsarServiceUrl: pulsar+ssl://localhost:6651 pulsarWebServiceUrl: https://localhost:8443 4. Run bin/pulsar standalone. See error below and Pulsar standalone cluster will not start up. 19:00:17.861 [pulsar-io-50-1] WARN org.apache.pulsar.broker.service.ServerCnx - [/10.101.2.121:55710] Unable to authenticate javax.naming.AuthenticationException: Client unable to authenticate with TLS certificate at org.apache.pulsar.broker.authentication.AuthenticationProviderTls.authenticate(AuthenticationProviderTls.java:86) ~[org.apache.pulsar-pulsar-broker-common-2.4.1.jar:2.4.1] at org.apache.pulsar.broker.authentication.OneStageAuthenticationState.<init>(OneStageAuthenticationState.java:46) ~[org.apache.pulsar-pulsar-broker-common-2.4.1.jar:2.4.1] at org.apache.pulsar.broker.authentication.AuthenticationProvider.newAuthState(AuthenticationProvider.java:76) ~[org.apache.pulsar-pulsar-broker-common-2.4.1.jar:2.4.1] at org.apache.pulsar.broker.service.ServerCnx.handleConnect(ServerCnx.java:549) [org.apache.pulsar-pulsar-broker-2.4.1.jar:2.4.1] at org.apache.pulsar.common.protocol.PulsarDecoder.channelRead(PulsarDecoder.java:143) [org.apache.pulsar-pulsar-common-2.4.1.jar:2.4.1] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:323) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:297) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:656) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:591) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:508) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:470) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_231] **Expected behavior** Run bin/pulsar standalone will start Pulsar standalone cluster without any exception. Client shall be able to connect to pulsar via TLS authentication. **Screenshots** <img width="1440" alt="Screenshot 2019-11-05 at 18 51 26" src="https://user-images.githubusercontent.com/40153224/68237683-88e58f80-ffff-11e9-8b41-9a5e80043e4e.png"> **Desktop (please complete the following information):** - OS: macOS and Linux **Additional context** There is a walk around for this issue. Add useTls to true in function_worker.yml will enable Pulsar standalone to start. I find this field is depreciated in the recent releases but it is still used to set up function worker configuration.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
