[GitHub] [pulsar] xiasf commented on issue #13283: websocket when ssl tsl is enabled, error reported: Error during handshake

[GitBox <gi...@apache.org>]

xiasf commented on issue #13283:
URL: https://github.com/apache/pulsar/issues/13283#issuecomment-995556861


   
   ❤ Thank you very much, Already solved, It's a configuration problem, but also because the documentation is not clear enough
   
   These points solved my problem:
   
   1. `bin/pulsar standalone` will not be used websocket.conf
   
   
   2. ws client Trusting CA root certificates and set not to verify the host name
   
   ```python
   ws = websocket.WebSocket(sslopt={'ca_certs': '/root/my-ca6/certs/ca.cert.pem', "check_hostname": False})
   ```
   
   3. Note the difference between server certificate and client certificate issuance: `-extensions server_cert` or `-extensions usr_cert`
   `
   4. `tlsRequireTrustedClientCertOnConnect=true` If enabled, Configuration required:
   
   client.conf
   ```
   authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
   authParams={"tlsCertFile":"/root/my-ca6/admin.cert.pem","tlsKeyFile":"/root/my-ca6/admin.key-pk8.pem"}
   ```
   
   standalone.conf
   ```
   brokerClientTlsEnabled=true
   brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
   brokerClientAuthenticationParameters={"tlsCertFile":"/root/my-ca6/admin.cert.pem","tlsKeyFile":"/root/my-ca6/admin.key-pk8.pem"}
   brokerClientTrustCertsFilePath=/root/my-ca6/certs/ca.cert.pem
   ```
   
   Related documents:
   
   https://pulsar.apache.org/docs/en/next/security-tls-authentication/
   
   https://github.com/apache/pulsar/issues/5598
   
   https://github.com/apache/pulsar/issues/12313
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org