我配置了broker.conf并尝试创建一个启用了 tls 的客户端。从字面上看,我正确提供了证书路径。当我尝试运行客户端时,它显示以下错误。
2019-09-27 13:30:36.586 INFO ConnectionPool:72 | Created connection for pulsar+ssl://broker.example.com:6651/
2019-09-27 13:30:36.605 ERROR ClientConnection:441 | [<none> -> pulsar+ssl://broker.example.com:6651/] Resolve error: asio.netdb:1 : Host not found (authoritative)
2019-09-27 13:30:36.605 INFO ClientConnection:1337 | [<none> -> pulsar+ssl://broker.example.com:6651/] Connection closed
2019-09-27 13:30:36.605 ERROR ClientImpl:182 | Error Checking/Getting Partition Metadata while creating producer on persistent://public/default/demo -- 5
Traceback (most recent call last):
File "producer.py", line 7, in <module>
producer = client.create_producer('persistent://public/default/demo')
File "/home/loghi/.local/lib/python2.7/site-packages/pulsar/__init__.py", line 476, in create_producer
p._producer = self._client.create_producer(topic, conf)
Exception: Pulsar error: ConnectError
2019-09-27 13:30:36.608 INFO ClientConnection:229 | [<none> -> pulsar+ssl://broker.example.com:6651/] Destroyed connection
这是我从 apache pulsar 文档中遵循的 broker.conf 身份验证配置。
### --- Authentication --- ###
# Role names that are treated as "proxy roles". If the broker sees a request with
#role as proxyRoles - it will demand to see a valid original principal.
proxyRoles=
# If this flag is set then the broker authenticates the original Auth data
# else it just accepts the originalPrincipal and authorizes it (if required).
authenticateOriginalAuthData=false
# Deprecated - Use webServicePortTls and brokerServicePortTls instead
tlsEnabled=true
# Tls cert refresh duration in seconds (set 0 to check on every new connection)
tlsCertRefreshCheckDurationSec=300
# Path for the TLS certificate file
tlsCertificateFilePath=/home/loghi/Downloads/apache-pulsar-2.4.1-bin/apache-pulsar-2.4.1/my-ca/broker.cert.pem
# Path for the TLS private key file
tlsKeyFilePath=/home/loghi/Downloads/apache-pulsar-2.4.1-bin/apache-pulsar-2.4.1/my-ca/broker.key.pem
# Path for the trusted TLS certificate file.
# This cert is used to verify that any certs presented by connecting clients
# are signed by a certificate authority. If this verification
# fails, then the certs are untrusted and the connections are dropped.
tlsTrustCertsFilePath=/home/loghi/Downloads/apache-pulsar-2.4.1-bin/apache-pulsar-2.4.1/my-ca/certs/ca.cert.pem
# Accept untrusted TLS certificate from client.
# If true, a client with a cert which cannot be verified with the
# 'tlsTrustCertsFilePath' cert will allowed to connect to the server,
# though the cert will not be used for client authentication.
tlsAllowInsecureConnection=false
# Specify the tls protocols the broker will use to negotiate during TLS handshake
# (a comma-separated list of protocol names).
# Examples:- [TLSv1.2, TLSv1.1, TLSv1]
tlsProtocols=
# Specify the tls cipher the broker will use to negotiate during TLS Handshake
# (a comma-separated list of ciphers).
# Examples:- [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
tlsCiphers=
# Trusted client certificates are required for to connect TLS
# Reject the Connection if the Client Certificate is not trusted.
# In effect, this requires that all connecting clients perform TLS client
# authentication.
tlsRequireTrustedClientCertOnConnect=false
似乎没有使用代理中的端口 6651 启动主机连接。我检查了只有端口 6650 对连接开放。它可以在不启用 TLS 的情况下正常工作。
提前感谢您的帮助。
谢谢你。