search

CiscoDevNet / yangsuite

Cisco YANG Suite provides a set of tools and plugins to learn, test, and adopt YANG programmable interfaces such as NETCONF, RESTCONF, gNMI and more.
Other
237 stars 70 forks source link

JSONDecodeError while adding certificate to device #35

Closed damsolo closed 2 years ago

damsolo commented 2 years ago

Problem: While creating new device each addition of a certificate/key generates the following error (let's say we create ech device):

[pid: 40|app: 0|req: 3/10] 172.18.0.1 () {60 vars in 1072 bytes} [Wed Oct  6 11:18:59 2021] POST /devices/upload/ech => generated 27 bytes in 10 msecs (HTTP/2.0 500) 4 headers in 126 bytes (1 switches on core 0)
[06/Oct/2021 11:18:59] ERROR [django.request:118] Internal Server Error: /devices/upload/ech
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/django/core/handlers/exception.py", line 35, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.6/dist-packages/django/core/handlers/base.py", line 128, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/usr/local/lib/python3.6/dist-packages/django/core/handlers/base.py", line 126, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/usr/local/lib/python3.6/dist-packages/django/contrib/auth/decorators.py", line 21, in _wrapped_view
    return view_func(request, *args, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/ysdevices/views.py", line 30, in decorated
    return decoratee(request, jsondata, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/ysdevices/views.py", line 163, in file_upload
    profile = YSDeviceProfile.get(device_key)
  File "/usr/local/lib/python3.6/dist-packages/ysdevices/devprofile.py", line 200, in get
    return cls.from_file(profile)
  File "/usr/local/lib/python3.6/dist-packages/ysdevices/devprofile.py", line 208, in from_file
    data = json.load(fp)
  File "/usr/lib/python3.6/json/__init__.py", line 299, in load
    parse_constant=parse_constant, object_pairs_hook=object_pairs_hook, **kw)
  File "/usr/lib/python3.6/json/__init__.py", line 354, in loads
    return _default_decoder.decode(s)
  File "/usr/lib/python3.6/json/decoder.py", line 339, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib/python3.6/json/decoder.py", line 357, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

So when I'm adding two certs and one key I see above error 3 times in logs. When I try to do some test with ech device and a restconf server i get the following response from the server:

<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx/1.21.1</center>
</body>
</html>

Provided certs and key are valid - curl --cacert data_ca_crt.crt --key data_tls_key.key --cert data_tls_crt.crt "some_restconf_server_endpoint" works fine even from the docker_yangsuite_1 container.

Devprofile exists in docker_yangsuite_1 container: root@9a2f58c815f7:/ys-data/devices# cat ech.devprofile 

{
  "base": {
    "profile_name": "ech",
    "description": "",
    "address": "some_valid_ip",
    "username": "admin",
    "timeout": 30,
    "variables": {},
    "certificate": "data_ca_crt.crt",
    "clientcert": "data_tls_crt.crt",
    "clientkey": "data_tls_key.key",
    "secure_override": "",
    "encrypted_password": "some_encrypted_password"
  },
  "gnmi": {
    "enabled": false,
    "platform": "iosxe",
    "port": 50052,
    "secure_port": 9339,
    "secure": false,
    "secure_override": ""
  },
  "netconf": {
    "enabled": false,
    "device_variant": "default",
    "port": 830,
    "ignore_keys": false,
    "address": "",
    "username": "",
    "timeout": "",
    "encrypted_password": ""
  },
  "restconf": {
    "enabled": true,
    "encoding": "https",
    "base_url": "/restconf",
    "port": 443,
    "address": "",
    "username": "",
    "encrypted_password": ""
  },
  "ssh": {
    "enabled": false,
    "device_variant": "generic_termserver",
    "address": "",
    "port": 22,
    "delay_factor": 1.0,
    "username": "",
    "timeout": "",
    "secure": false,
    "encrypted_password": ""
  },
  "yangsuite": {
    "user": "admin"
  }
}

and certs were copied:

root@9a2f58c815f7:/ys-data/users/admin/devices/ech# ls
data_ca_crt.crt  data_tls_crt.crt  data_tls_key.key

Installed versions: yangsuite==2.8.2 yangsuite_netconf==1.15.3 yangsuite_filemanager==1.8.1 yangsuite_yangtree==1.19.1 yangsuite_devices==2.8.7

OS: Ubuntu 21.04

miott commented 2 years ago

The only protocol using certificates from the yangsuite server as of now is yangsuite-gnmi. I see that you do not have the yangsuite-gnmi plugin installed, so, the certificates uploaded are not used.

The certificate device-profile upload location is in the "General" section because the thought was that other protocols may eventually be using the same certificate (probably should have put that in the gnmi section until other protocols use them). I also noticed that there is a "Use SSL Certificate" checkbox in the SSH section and I know for a fact that SSH is not yet setup to use those uploaded certificates.

Are you having difficulty connecting NETCONF or SSH? Let's talk about that.

jeremycohoe commented 2 years ago

Please reply and re-open if you are still needing support - JC