devinbost edited a comment on issue #84:
URL:
https://github.com/apache/pulsar-helm-chart/issues/84#issuecomment-729301860
It appears (from the debug logs) that the TLS session is established.
The exception "Client unable to authenticate with TLS certificate" is thrown
in AuthenticationProviderTls from this block:
@Override
public String authenticate(AuthenticationDataSource authData) throws
AuthenticationException {
String commonName = null;
if (authData.hasDataFromTls()) {
Certificate[] certs = authData.getTlsCertificates();
String distinguishedName = ((X509Certificate)
certs[0]).getSubjectX500Principal().getName();
for (String keyValueStr : distinguishedName.split(",")) {
String[] keyValue = keyValueStr.split("=", 2);
if (keyValue.length == 2 && "CN".equals(keyValue[0]) &&
!keyValue[1].isEmpty()) {
commonName = keyValue[1];
break;
}
}
}
if (commonName == null) {
throw new AuthenticationException("Client unable to authenticate
with TLS certificate");
}
return commonName;
}
(https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTls.java#L86)
That implies that the CN is blank... However, the TLS logs (see attached)
show that a CN is clearly present.
So, I'm not sure that I understand what is wrong here.
[pulsarbroker.txt](https://github.com/apache/pulsar-helm-chart/files/5557017/pulsarbroker.txt)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
