Failed to create producer: ConnectError when upgrading to 1.8.0

[ericallam]

Hi there, I'm just attempting to upgrade to 1.8.0 (from 1.7.0) and I'm now getting a Failed to create producer: ConnectError error when creating a producer. If I downgrade back to 1.7.0 the same code works fine.

const client = new Pulsar.Client({
  serviceUrl: "pulsar+ssl://<cluster>.<namespace>.snio.cloud:6651",
  authentication: new AuthenticationOauth2({ ... }),
  operationTimeoutSeconds: 5,
});

const producer = await client.createProducer({
  topic: "persistent://public/default/testing-topic",
});

I'm running on macOS 12.5.1 arm, Node.js v18.12.1

[shibd]

Hi, @ericallam Need to confirm, are you getting an auth AuthenticationError? In my environment I reproduce and I get an AuthenticationError

I get the error log:

Response failed for getting the well-known configuration https://dev-kt-aa9ne.us.auth0.com. Error Code 60: SSL certificate problem: unable to get local issuer certificate

You can add the following code to get the log information:

  Pulsar.Client.setLogHandler((level, file, line, message) => {
    console.log('[%s][%s:%d] %s', Pulsar.LogLevel.toString(level), file, line, message);
  });

[shibd]

When I use pulsar+ssl:, I get the same result as you: Error: Failed to create producer: ConnectError

The essential reason should be this:

Response failed for getting the well-known configuration https://dev-kt-aa9ne.us.auth0.com. Error Code 60: SSL certificate problem: unable to get local issuer certificate

I will check it.

[ericallam]

Just added the logging a retested with 1.8.0 and here's the log got:

[1][ClientConnection:189] [<none> -> pulsar+ssl://<cluster>.<orgid>.snio.cloud:6651] Create ClientConnection, timeout=10000
[3][AuthOauth2:224] Response failed for getting the well-known configuration https://auth.streamnative.cloud/. Error Code 60: SSL certificate problem: unable to get local issuer certificate
[1][ConnectionPool:97] Created connection for pulsar+ssl://<cluster>.<orgid>.snio.cloud:6651
[1][ClientConnection:379] [192.168.1.8:52825 -> 184.72.154.254:6651] Connected to broker
[3][ClientConnection:472] [192.168.1.8:52825 -> 184.72.154.254:6651] Handshake failed: certificate verify failed (SSL routines, tls_process_server_certificate)
[1][ClientConnection:1584] [192.168.1.8:52825 -> 184.72.154.254:6651] Connection closed with ConnectError
[3][ClientImpl:184] Error Checking/Getting Partition Metadata while creating producer on persistent://public/default/test-topic -- ConnectError
[1][ClientConnection:267] [192.168.1.8:52825 -> 184.72.154.254:6651] Destroyed connection

[ericallam]

Are there any workarounds for this issue @shibd?

[shibd]

This can be caused by static linking cross-compiled OpenSSL.

I push a #282 to fix this. Before that, you can refer to How to build of README to build from the source(I tested it, and it can work).

[ericallam]

Thanks, will take a look at building from source 👍

[shibd]

Summary

This is because cross-compilation results in the CA cert bundle not being set on the ARM64 Mac. Refer to this: apache/pulsar-client-cpp#184 (comment)

We need to wait for this PR to be released and then upgrade the CPP dependencies.

It can then be solved on arm64 by configuring tlsTrustCertsFilePath

  const client = new Pulsar.Client({
    serviceUrl: 'url',
    tlsTrustCertsFilePath:'/etc/ssl/cert.pem',
  });

[shibd]

v1.8.1 has already been released, and it can fix this issue.