根据Pulsar官方文档配置TLS, Broker报错,并且broker拉不起来。

我们使用的pulsar版本是2.9.2,因此我们参考的Pulsar文档也是2.9.2.
我们参考Pulsar的官方文档 - Transport Encryption using TLS | Apache Pulsar

三个文件都可以成功生成: broker.cert.pem, broker.key-pk8.pem, ca.cert.pem

然后配置broker,修改conf/broker.conf 配置文件后,启动broker有如下报错。

请问还需要什么配置吗?

Broker端配置如下:

tlsEnabled=true
tlsRequireTrustedClientCertOnConnect=true
tlsCertificateFilePath=/home/pulsar/my-ca/broker.cert.pem
tlsKeyFilePath=/home/pulsar/my-ca/broker.key-pk8.pem
tlsTrustCertsFilePath=/home/pulsar/my-ca/certs/ca.cert.pem
tlsProtocols=TLSv1.3,TLSv1.2
tlsCiphers=TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_256_CBC_SHA

启动broker有如下报错。
如果不加上面的配置,broker可以正常运行。

2022-07-27T15:50:53,544+0800 [bookkeeper-ml-scheduler-OrderedScheduler-8-0] INFO  org.apache.pulsar.broker.PulsarService - Loaded 1 topics on pulsar/pulsar291/10.169.45.90:8080/0x00000000_0xffffffff -- time taken: 0.441 seconds
2022-07-27T15:50:53,599+0800 [main] INFO  org.apache.pulsar.broker.PulsarService - created admin with url http://10.169.45.90:8080
2022-07-27T15:50:55,780+0800 [main] ERROR io.streamnative.pulsar.handlers.kop.AbstractPulsarClient - Failed to create PulsarClient
org.apache.pulsar.client.api.PulsarClientException$InvalidConfigurationException: Invalid client configuration
	at org.apache.pulsar.client.impl.PulsarClientImpl.<init>(PulsarClientImpl.java:165) ~[org.apache.pulsar-pulsar-client-original-2.9.1.jar:2.9.1]
	at org.apache.pulsar.client.impl.PulsarClientImpl.<init>(PulsarClientImpl.java:156) ~[org.apache.pulsar-pulsar-client-original-2.9.1.jar:2.9.1]
	at org.apache.pulsar.client.impl.PulsarClientImpl.<init>(PulsarClientImpl.java:137) ~[org.apache.pulsar-pulsar-client-original-2.9.1.jar:2.9.1]
	at io.streamnative.pulsar.handlers.kop.AbstractPulsarClient.createPulsarClient(AbstractPulsarClient.java:98) ~[SG1FgIAcfSj5gLHzE7UQZA/:?]
	at io.streamnative.pulsar.handlers.kop.LookupClient.<init>(LookupClient.java:30) ~[SG1FgIAcfSj5gLHzE7UQZA/:?]
	at io.streamnative.pulsar.handlers.kop.KafkaProtocolHandler.start(KafkaProtocolHandler.java:471) ~[SG1FgIAcfSj5gLHzE7UQZA/:?]
	at org.apache.pulsar.broker.protocol.ProtocolHandlerWithClassLoader.start(ProtocolHandlerWithClassLoader.java:75) ~[org.apache.pulsar-pulsar-broker-2.9.1.jar:2.9.1]
	at org.apache.pulsar.broker.protocol.ProtocolHandlers.lambda$start$4(ProtocolHandlers.java:142) ~[org.apache.pulsar-pulsar-broker-2.9.1.jar:2.9.1]
	at java.lang.Iterable.forEach(Iterable.java:75) [?:?]
	at org.apache.pulsar.broker.protocol.ProtocolHandlers.start(ProtocolHandlers.java:142) [org.apache.pulsar-pulsar-broker-2.9.1.jar:2.9.1]
	at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:742) [org.apache.pulsar-pulsar-broker-2.9.1.jar:2.9.1]
	at org.apache.pulsar.PulsarBrokerStarter$BrokerStarter.start(PulsarBrokerStarter.java:273) [org.apache.pulsar-pulsar-broker-2.9.1.jar:2.9.1]
	at org.apache.pulsar.PulsarBrokerStarter.main(PulsarBrokerStarter.java:350) [org.apache.pulsar-pulsar-broker-2.9.1.jar:2.9.1]
2022-07-27T15:50:55,790+0800 [main] ERROR org.apache.pulsar.broker.PulsarService - Failed to start Pulsar service: org.apache.pulsar.client.api.PulsarClientException$InvalidConfigurationException: Invalid client configuration
java.lang.IllegalStateException: org.apache.pulsar.client.api.PulsarClientException$InvalidConfigurationException: Invalid client configuration
	at io.streamnative.pulsar.handlers.kop.AbstractPulsarClient.createPulsarClient(AbstractPulsarClient.java:101) ~[?:?]
	at io.streamnative.pulsar.handlers.kop.LookupClient.<init>(LookupClient.java:30) ~[?:?]
	at io.streamnative.pulsar.handlers.kop.KafkaProtocolHandler.start(KafkaProtocolHandler.java:471) ~[?:?]
	at org.apache.pulsar.broker.protocol.ProtocolHandlerWithClassLoader.start(ProtocolHandlerWithClassLoader.java:75) ~[org.apache.pulsar-pulsar-broker-2.9.1.jar:2.9.1]
	at org.apache.pulsar.broker.protocol.ProtocolHandlers.lambda$start$4(ProtocolHandlers.java:142) ~[org.apache.pulsar-pulsar-broker-2.9.1.jar:2.9.1]
	at java.lang.Iterable.forEach(Iterable.java:75) ~[?:?]
	at org.apache.pulsar.broker.protocol.ProtocolHandlers.start(ProtocolHandlers.java:142) ~[org.apache.pulsar-pulsar-broker-2.9.1.jar:2.9.1]
	at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:742) [org.apache.pulsar-pulsar-broker-2.9.1.jar:2.9.1]
	at org.apache.pulsar.PulsarBrokerStarter$BrokerStarter.start(PulsarBrokerStarter.java:273) [org.apache.pulsar-pulsar-broker-2.9.1.jar:2.9.1]
	at org.apache.pulsar.PulsarBrokerStarter.main(PulsarBrokerStarter.java:350) [org.apache.pulsar-pulsar-broker-2.9.1.jar:2.9.1]
Caused by: org.apache.pulsar.client.api.PulsarClientException$InvalidConfigurationException: Invalid client configuration
	at org.apache.pulsar.client.impl.PulsarClientImpl.<init>(PulsarClientImpl.java:165) ~[org.apache.pulsar-pulsar-client-original-2.9.1.jar:2.9.1]
	at org.apache.pulsar.client.impl.PulsarClientImpl.<init>(PulsarClientImpl.java:156) ~[org.apache.pulsar-pulsar-client-original-2.9.1.jar:2.9.1]
	at org.apache.pulsar.client.impl.PulsarClientImpl.<init>(PulsarClientImpl.java:137) ~[org.apache.pulsar-pulsar-client-original-2.9.1.jar:2.9.1]
	at io.streamnative.pulsar.handlers.kop.AbstractPulsarClient.createPulsarClient(AbstractPulsarClient.java:98) ~[?:?]
	... 9 more

你需要生成 client 证书,然后配置一下参数

brokerClientTlsEnabled=true
brokerClientTrustCertsFilePath=/path/my-ca/ca.cert.pem
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
brokerClientAuthenticationParameters={"tlsCertFile":"/path/my-ca/client.cert.pem","tlsKeyFile":"/path/my-ca/client.key-pk8.pem"}

当前 TLS 加密传输和认证是捆绑在一起的,你需要看 Authentication using TLS | Apache Pulsar 文档