[GitHub] [pulsar] rdhabalia opened a new issue #6010: Broker can not reload expired bookie certs and fails to connect to bookie

GitBox Tue, 07 Jan 2020 12:11:48 -0800

rdhabalia opened a new issue #6010: Broker can not reload expired bookie certs 
and fails to connect to bookie
URL: https://github.com/apache/pulsar/issues/6010
 
 
   ### Issue
   
   Bookkeeper-client caches the tls certificates when it first tries to create 
a cnx with a given bookie and after that it never reloads certs even when valid 
certs changes on the file-system or new bookie-connection is created. Because 
of that as soon as client certs expires and broker disconnects from bookie then 
broker is not able to reconnect to bookie until we restart the broker process. 
and we see below TLS exception at broker.
   
   ```
   19:43:03.983 [bookkeeper-io-12-45] ERROR 
org.apache.bookkeeper.proto.PerChannelBookieClient - Unexpected exception 
caught by bookie client channel handler
   io.netty.handler.codec.DecoderException: 
javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
           at 
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472)
 ~[netty-codec-4.1.31.Final.jar:4.1.31.Final]
           at 
io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
 ~[netty-codec-4.1.31.Final.jar:4.1.31.Final]
           at 
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
 [netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
 [netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
 [netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
 [netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
 [netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
 [netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
 [netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:799)
 [netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:433) 
[netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:330) 
[netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909)
 [netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
 [netty-all-4.1.32.Final.jar:4.1.32.Final]
           at java.lang.Thread.run(Thread.java:834) [?:?]
   Caused by: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
           at 
io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$OpenSslClientCertificateCallback.handle(ReferenceCountedOpenSslClientContext.java:273)
 ~[netty-all-4.1.32.Final.jar
   :4.1.32.Final]
           at io.netty.internal.tcnative.SSL.readFromSSL(Native Method) 
~[netty-tcnative-boringssl-static-2.0.20.Final.jar:2.0.20.Final]
           at 
io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:575)
 ~[netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1124)
 ~[netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1236)
 ~[netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1279)
 ~[netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:217) 
~[netty-all-4.1.32.Final.jar:4.1.32.Final]
           at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1301) 
~[netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1215) 
~[netty-all-4.1.32.Final.jar:4.1.32.Final]
           at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1249) 
~[netty-all-4.1.32.Final.jar:4.1.32.Final]
           at 
io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
 ~[netty-codec-4.1.31.Final.jar:4.1.31.Final]
           at 
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
 ~[netty-codec-4.1.31.Final.jar:4.1.31.Final]
           ... 14 more
   ```


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

[GitHub] [pulsar] rdhabalia opened a new issue #6010: Broker can not reload expired bookie certs and fails to connect to bookie

Reply via email to