You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/11/18 00:43:36 UTC

[GitHub] [pulsar-helm-chart] devinbost edited a comment on issue #84: TLS Authentication in Kubernetes, Pulsar 2.6.1 - Broker crash loop on startup due to 401 in WorkerService.start(..)

devinbost edited a comment on issue #84:
URL: https://github.com/apache/pulsar-helm-chart/issues/84#issuecomment-729301860


   It appears (from the debug logs) that the TLS session is established.
   The exception "Client unable to authenticate with TLS certificate" is thrown in AuthenticationProviderTls from this block:
   
       @Override
       public String authenticate(AuthenticationDataSource authData) throws AuthenticationException {
           String commonName = null;
   
           if (authData.hasDataFromTls()) {
               Certificate[] certs = authData.getTlsCertificates();
               String distinguishedName = ((X509Certificate) certs[0]).getSubjectX500Principal().getName();
               for (String keyValueStr : distinguishedName.split(",")) {
                   String[] keyValue = keyValueStr.split("=", 2);
                   if (keyValue.length == 2 && "CN".equals(keyValue[0]) && !keyValue[1].isEmpty()) {
                       commonName = keyValue[1];
                       break;
                   }
               }
           }
   
           if (commonName == null) {
               throw new AuthenticationException("Client unable to authenticate with TLS certificate");
           }
   
           return commonName;
       }
   (https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTls.java#L86)
   
   That implies that the CN is blank... However, the TLS logs (see attached) show that a CN is clearly present.
   So, I'm not sure that I understand what is wrong here. 
    
   [pulsarbroker.txt](https://github.com/apache/pulsar-helm-chart/files/5557017/pulsarbroker.txt)
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org