英文:
Apache Pulsar unable to validate issuer certificate when attempting to load OpenID Connect provider
问题
我尝试按照https://pulsar.apache.org/docs/3.0.x/security-openid-connect/上的说明启用OpenID Connect身份验证,但似乎无法通过证书错误。
我认为此错误源自pulsar的AuthenticationProviderOpenID.java类,在其中的initialize方法中,它尝试设置SSL上下文以启用与提供的发行者URL的安全连接。
在示例broker.conf中,它说"openIDTokenIssuerTrustCertsFilePath"是一个可选设置,它将使用JVM的信任存储库。因此,我确保所需的证书已添加到我经纪人实例中的信任存储库,位于".../jre/lib/security/cacerts",并将该配置值留空。但这没有起作用,我遇到了错误:
Caused by: java.lang.IllegalArgumentException: 文件不包含有效证书:
....
Caused by: java.security.cert.CertificateException: 找不到证书文件:
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:68) ~[io.netty-netty-handler-4.1.89.Final.jar:4.1.89.Final]
对我来说,这似乎表明它期望提供一个.pem文件,因此我将pem文件复制到经纪人服务器上,并提供了文件的绝对路径,如openIDTokenIssuerTrustCertsFilePath=/opt/pulsar/certificates/certificate.pem
但我收到了错误:
Caused by: java.security.cert.CertificateException: 在输入流中找不到证书
这是我正在使用的broker.conf设置示例。
broker.conf设置
authenticationProviders=org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID
openIDAllowedTokenIssuers=https://login-stg.somewebsite.com/
openIDAllowedAudiences=https://auth0-some-website.com/maas, https://some-stg.some-dev.auth0.com/userinfo
openIDTokenIssuerTrustCertsFilePath=
openIDRoleClaim=https://some-web.com/role
英文:
I've attempted to follow the instructions on https://pulsar.apache.org/docs/3.0.x/security-openid-connect/ in order to enable OpenID Connect Authentication, but can't seem to get passed a certificate error.
I believe this error stems from pulsar's AuthenticationProviderOpenID.java class, where in the initialise method it attempts to setup the SSL context to enable a secure connection to the issuer url provided.
In the example broker.conf it says that the "openIDTokenIssuerTrustCertsFilePath" is an optional setting and that it will use the trust store of the JVM. So I ensured that the required certificates where added to the trust store found at ".../jre/lib/security/cacerts" on my broker instance and left that config value as blank. This did not work, I was presented with the error:
Caused by: java.lang.IllegalArgumentException: File does not contain valid certificates:
....
Caused by: java.security.cert.CertificateException: could not find certificate file:
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:68) ~[io.netty-netty-handler-4.1.89.Final.jar:4.1.89.Final]
This to me seemed to indicate that it was expecting a .pem file to be supplied, so I copied the pem file onto the broker server and supplied the absolute path to the file as openIDTokenIssuerTrustCertsFilePath=/opt/pulsar/certificates/certificate.pem
but I received the error
Caused by: java.security.cert.CertificateException: found no certificates in input stream
Here is a example of the broker.conf settings I'm using.
broker.conf settings
authenticationProviders=org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID
openIDAllowedTokenIssuers=https://login-stg.somewebsite.com/
openIDAllowedAudiences=https://auth0-some-website.com/maas, https://some-stg.some-dev.auth0.com/userinfo
openIDTokenIssuerTrustCertsFilePath=
openIDRoleClaim=https://some-web.com/role
答案1
得分: 1
> 在示例的 broker.conf 文件中指出 "openIDTokenIssuerTrustCertsFilePath" 是一个可选设置,并且它将使用 JVM 的信任库。所以我确保将所需的证书添加到了我的 broker 实例中的信任库,路径为 ".../jre/lib/security/cacerts",并将该配置值留空。
它会在你从 broker.conf 文件中移除 openIDTokenIssuerTrustCertsFilePath= 时正常工作。将 openIDTokenIssuerTrustCertsFilePath= 留空是错误配置提供程序尝试加载 "" 文件,这解释了这个无用的错误消息。
注意:https://github.com/apache/pulsar/pull/20745 应该会在未来的 pulsar 版本中改进这个行为,将空配置解释为使用操作系统的信任库。
> Caused by: java.security.cert.CertificateException: found no certificates in input stream
在我的测试中,当文件不是 PEM 格式时,我观察到了相同的错误。我验证了该功能确实适用于使用正确格式文件配置的自定义信任库,这些文件经过修改的测试链接如下:https://github.com/apache/pulsar/pull/20746。
这是格式不正确的 CA 证书的完整堆栈跟踪:
java.lang.IllegalArgumentException: File does not contain valid certificates: /Users/michaelmarshall/dev/apache/pulsar/pulsar-broker-auth-oidc/target/test-classes/certificate-authority/jks/broker.keystore.jks
at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:261)
at org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID.initialize(AuthenticationProviderOpenID.java:172)
at org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenIDIntegrationTest.testKidCacheMissWhenRefreshConfigZero(AuthenticationProviderOpenIDIntegrationTest.java:347)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.testng.internal.invokers.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:139)
at org.testng.internal.invokers.TestInvoker.invokeMethod(TestInvoker.java:677)
at org.testng.internal.invokers.TestInvoker.invokeTestMethod(TestInvoker.java:221)
at org.testng.internal.invokers.MethodRunner.runInSequence(MethodRunner.java:50)
at org.testng.internal.invokers.TestInvoker$MethodInvocationAgent.invoke(TestInvoker.java:969)
at org.testng.internal.invokers.TestInvoker.invokeTestMethods(TestInvoker.java:194)
at org.testng.internal.invokers.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:148)
at org.testng.internal.invokers.TestMethodWorker.run(TestMethodWorker.java:128)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
at org.testng.TestRunner.privateRun(TestRunner.java:829)
at org.testng.TestRunner.run(TestRunner.java:602)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:437)
at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:431)
at org.testng.SuiteRunner.privateRun(SuiteRunner.java:391)
at org.testng.SuiteRunner.run(SuiteRunner.java:330)
at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:95)
at org.testng.TestNG.runSuitesSequentially(TestNG.java:1256)
at org.testng.TestNG.runSuitesLocally(TestNG.java:1176)
at org.testng.TestNG.runSuites(TestNG.java:1099)
at org.testng.TestNG.run(TestNG.java:1067)
at com.intellij.rt.testng.IDEARemoteTestNG.run(IDEARemoteTestNG.java:66)
at com.intellij.rt.testng.RemoteTestNGStarter.main(RemoteTestNGStarter.java:105)
Caused by: java.security.cert.CertificateException: found no certificates in input stream
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:107)
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:63)
at io.netty.handler.ssl.SslContext.toX509Certificates(SslContext.java:1219)
at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:259)
... 29 more
英文:
> In the example broker.conf it says that the
> "openIDTokenIssuerTrustCertsFilePath" is an optional setting and that
> it will use the trust store of the JVM. So I ensured that the required
> certificates where added to the trust store found at
> ".../jre/lib/security/cacerts" on my broker instance and left that
> config value as blank.
It will work correctly when you remove the openIDTokenIssuerTrustCertsFilePath= from your broker.conf file. Having a blank openIDTokenIssuerTrustCertsFilePath= is incorrectly configuring the provider to attempt to load the "" file, which explains the unhelpful error message.
Note: https://github.com/apache/pulsar/pull/20745 should improve the behavior in a future release of pulsar by interpreting an empty configuration as using the OS's trust store.
> Caused by: java.security.cert.CertificateException: found no certificates in input stream
In my testing, I observed this same error when the file was not in PEM format. I verified that the feature does work for custom trust stores configured using correctly formated files with these modified tests: https://github.com/apache/pulsar/pull/20746.
Here is my full stack trace for the incorrectly formatted ca cert:
java.lang.IllegalArgumentException: File does not contain valid certificates: /Users/michaelmarshall/dev/apache/pulsar/pulsar-broker-auth-oidc/target/test-classes/certificate-authority/jks/broker.keystore.jks
at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:261)
at org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID.initialize(AuthenticationProviderOpenID.java:172)
at org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenIDIntegrationTest.testKidCacheMissWhenRefreshConfigZero(AuthenticationProviderOpenIDIntegrationTest.java:347)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.testng.internal.invokers.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:139)
at org.testng.internal.invokers.TestInvoker.invokeMethod(TestInvoker.java:677)
at org.testng.internal.invokers.TestInvoker.invokeTestMethod(TestInvoker.java:221)
at org.testng.internal.invokers.MethodRunner.runInSequence(MethodRunner.java:50)
at org.testng.internal.invokers.TestInvoker$MethodInvocationAgent.invoke(TestInvoker.java:969)
at org.testng.internal.invokers.TestInvoker.invokeTestMethods(TestInvoker.java:194)
at org.testng.internal.invokers.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:148)
at org.testng.internal.invokers.TestMethodWorker.run(TestMethodWorker.java:128)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
at org.testng.TestRunner.privateRun(TestRunner.java:829)
at org.testng.TestRunner.run(TestRunner.java:602)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:437)
at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:431)
at org.testng.SuiteRunner.privateRun(SuiteRunner.java:391)
at org.testng.SuiteRunner.run(SuiteRunner.java:330)
at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:95)
at org.testng.TestNG.runSuitesSequentially(TestNG.java:1256)
at org.testng.TestNG.runSuitesLocally(TestNG.java:1176)
at org.testng.TestNG.runSuites(TestNG.java:1099)
at org.testng.TestNG.run(TestNG.java:1067)
at com.intellij.rt.testng.IDEARemoteTestNG.run(IDEARemoteTestNG.java:66)
at com.intellij.rt.testng.RemoteTestNGStarter.main(RemoteTestNGStarter.java:105)
Caused by: java.security.cert.CertificateException: found no certificates in input stream
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:107)
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:63)
at io.netty.handler.ssl.SslContext.toX509Certificates(SslContext.java:1219)
at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:259)
... 29 more
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论