[GitHub] [pulsar] thomaeschen opened a new issue #12313: Error during handshake for tls auth by apache pulsar client on linux server

Sat, 09 Oct 2021 08:35:46 -0700 


thomaeschen opened a new issue #12313:
URL: https://github.com/apache/pulsar/issues/12313


   **Describe the bug**
   Follow the instruction from the Apache latest document to setup a TLS 
connection. The system will generate error related to the handshake and it 
shows "TLSV1_ALERT_CERTIFICATE_REQUIRED"
   
   **To Reproduce**
   Steps to reproduce the behavior:
   
    Follow the document 
[https://pulsar.apache.org/docs/en/security-tls-transport/](url) to create a  
public certificate. server certificate and server key and put the settings to 
the broker.conf.  I also configure the client.conf with the server certificate 
in it and then use the CLI-tool connecting the broker (Same tlsTrustCertsFile) 
. The client show the error "TLSV1_ALERT_CERTIFICATE_REQUIRED".
   
   The client could connect to the broker successfully once I set the 
tlsRequireTrustedClientCertOnConnect=false
   
   Please help me fix the issue
   
   
   23:10:54.808 [pulsar-client-io-1-1] WARN  
org.apache.pulsar.client.impl.ClientCnx - 
[cnpulsar01.holystone.com.tw/192.168.60.53:6651] Got exception 
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: 
error:1000045c:SSL routines:OPENSSL_internal:TLSV1_ALERT_CERTIFICATE_REQUIRED
           at 
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:477)
           at 
io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
           at 
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
           at 
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
           at 
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
           at 
io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
           at 
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
           at 
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
           at 
io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
           at 
io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
           at 
io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:480)
           at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378)
           at 
io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
           at 
io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
           at 
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
           at java.base/java.lang.Thread.run(Thread.java:829)
   Caused by: javax.net.ssl.SSLException: error:1000045c:SSL 
routines:OPENSSL_internal:TLSV1_ALERT_CERTIFICATE_REQUIRED
           at 
io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:1055)
           at 
io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1349)
           at 
io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1289)
           at 
io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1374)
           at 
io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1417)
           at 
io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:224)
           at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1344)
           at 
io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1248)
           at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1288)
           at 
io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
           at 
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
   
   
   
   **Expected behavior**
   The client could connect to the broker and start consuming thr messages
   
   **Screenshots**
   
![圖片](https://user-images.githubusercontent.com/87412552/136664765-1fd9aa56-65a7-43f2-a9ba-69f77cd828c9.png)
   broker.conf
   
![圖片](https://user-images.githubusercontent.com/87412552/136664824-3d9ce06c-cfce-4a8b-a797-6c13fefc26c3.png)
   client.conf
   
![圖片](https://user-images.githubusercontent.com/87412552/136664886-872e7e37-1c98-4091-a29b-16ad48db50df.png)
   
   
   
   **Desktop (please complete the following information):**
   Ubuntu 18.04.5 LTS (Bionic Beaver)
   Apache Pulsar 2.8.1
   openjdk version "11.0.11" 2021-04-20
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to