yabinmeng opened a new issue #11548: URL: https://github.com/apache/pulsar/issues/11548
**Describe the bug** I'm testing out transport encryption using TLS by following the document instruction here: https://pulsar.apache.org/docs/en/2.7.2/security-tls-transport/ I'm expecting that when TLS is enabled, when broker is starting up, only TLS ports (8443 and 6551) are listening. But it looks like non-TLS ports (8080 and 6650) are also enabled. See the command line output below: ``` $ sudo netstat -ntlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:2181 0.0.0.0:* LISTEN 16109/java tcp 0 0 0.0.0.0:9990 0.0.0.0:* LISTEN 16109/java tcp 0 0 0.0.0.0:8010 0.0.0.0:* LISTEN 16109/java tcp 0 0 0.0.0.0:3181 0.0.0.0:* LISTEN 16676/java tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 17362/java tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 877/systemd-resolve tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 9105/sshd tcp 0 0 0.0.0.0:6650 0.0.0.0:* LISTEN 17362/java tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 17362/java tcp 0 0 0.0.0.0:6651 0.0.0.0:* LISTEN 17362/java tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 16676/java ``` The only broker configuration changes are those TLS related, as below. ``` $ diff conf/broker.conf ~/pulsar_config/broker.conf.orig 32c32 < brokerServicePortTls=6651 --- > brokerServicePortTls= 38c38 < webServicePortTls=8443 --- > webServicePortTls= 472c472 < tlsEnabled=true --- > tlsEnabled=false 478c478 < tlsCertificateFilePath=/opt/pulsar/security/tls/broker.cert.pem --- > tlsCertificateFilePath= 481c481 < tlsKeyFilePath=/opt/pulsar/security/tls/broker.key-pk8.pem --- > tlsKeyFilePath= 487c487 < tlsTrustCertsFilePath=/opt/pulsar/security/tls/ca.cert.pem --- > tlsTrustCertsFilePath= ``` **To Reproduce** Steps to reproduce the behavior: 1. Download Pulsar 2.7.2 release tarball and extract it to a folder, e.g. /opt/pulsar 2. Create TLS certificates ( by following Pulsar doc: https://pulsar.apache.org/docs/en/2.7.2/security-tls-transport/#broker-configuration > put the root certificate (ca.cert.pem), the broker key (broker.key-pk8.pem), and the broker certificate (broker.cert.pem) into a sub-folder of Pulsar install: /opt/pulsar/security/tls 3. Configure broker.conf, as below. ``` brokerServicePort=6650 brokerServicePortTls=6651 webServicePort=8080 webServicePortTls=8443 tlsEnabled=true tlsCertificateFilePath=/opt/pulsar/security/tls/broker.cert.pem tlsKeyFilePath=/opt/pulsar/security/tls/broker.key-pk8.pem tlsTrustCertsFilePath=/opt/pulsar/security/tls/ca.cert.pem ``` 4. Restart Pulsar server and we'll see that Pulsar server is listening on all 4 ports (8080, 8443, 6650, and 6651). I also tried explicitly removing non-TLS ports in the configuration file and only keep TLS ports, as below. ``` brokerServicePort= brokerServicePortTls=6651 webServicePort= webServicePortTls=8443 tlsEnabled=true tlsCertificateFilePath=/opt/pulsar/security/tls/broker.cert.pem tlsKeyFilePath=/opt/pulsar/security/tls/broker.key-pk8.pem tlsTrustCertsFilePath=/opt/pulsar/security/tls/ca.cert.pem ``` If I do so, I can't start broker. The error in **pulsar-broker-xxx.out** is as below: ``` [AppClassLoader@18b4aac2] info AspectJ Weaver Version 1.9.2 built on Wednesday Oct 24, 2018 at 15:43:33 GMT [AppClassLoader@18b4aac2] info register classloader sun.misc.Launcher$AppClassLoader@18b4aac2 [AppClassLoader@18b4aac2] info using configuration file:/opt/pulsar/lib/org.apache.pulsar-pulsar-zookeeper-utils-2.7.2.jar!/META-INF/aop.xml [AppClassLoader@18b4aac2] info using configuration file:/opt/pulsar/lib/org.apache.pulsar-pulsar-zookeeper-2.7.2.jar!/META-INF/aop.xml [AppClassLoader@18b4aac2] info register aspect org.apache.pulsar.broker.zookeeper.aspectj.ClientCnxnAspect [AppClassLoader@18b4aac2] info register aspect org.apache.pulsar.zookeeper.FinalRequestProcessorAspect [AppClassLoader@18b4aac2] info register aspect org.apache.pulsar.zookeeper.ZooKeeperServerAspect 2021-08-03 08:56:33,926 [sun.misc.Launcher$AppClassLoader@18b4aac2] error Uncaught exception in thread main: No value present ``` **Expected behavior** Only TLS ports (8443 and 6551) are listening. **Screenshots** If applicable, add screenshots to help explain your problem. **Desktop (please complete the following information):** - OS: Ubuntu 18.04 - Java: 1.8.0_292 **Additional context** N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
