search

ElasticHQ / elasticsearch-HQ

Monitoring and Management Web Application for ElasticSearch instances and clusters.
http://www.elastichq.org
Other
4.97k stars 532 forks source link

SSL - certificate verify failed #428

Closed cyberjeff-u8t closed 5 years ago

cyberjeff-u8t commented 6 years ago

General information

Issue Description

Got a CERTIFICATE_VERIFY_FAILED.

Certificate test ok with curl: curl https://acm-elk-tst.panalpina.com:9200/_cluster/settings?pretty --noproxy acm-elk-tst.panalpina.com -v --cacert ~/ssl/subCA.cer

* About to connect() to acm-elk-tst.panalpina.com port 9200 (#0)
*   Trying 157.168.69.48...
* Connected to acm-elk-tst.panalpina.com (157.168.69.48) port 9200 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /root/ssl/subCA.cer
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=acm-elk-tst.panalpina.com,O=Panalpina World Transport (Holding) Ltd.,L=Basel,ST=Basel,C=CH
*       start date: Jul 12 16:15:51 2018 GMT
*       expire date: Jul 11 16:15:51 2021 GMT
*       common name: acm-elk-tst.panalpina.com
*       issuer: CN=PA-SUB-02-M01,DC=corp,DC=panorg,DC=com
> GET /_cluster/settings?pretty HTTP/1.1
> User-Agent: curl/7.29.0
> Host: acm-elk-tst.panalpina.com:9200
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 46
<
{
  "persistent" : { },
  "transient" : { }
}

Start command: python -m application --enable-ssl --ca-certs subCA.cer

Source Code / Logs

Traceback (most recent call last):
  File "/usr/lib64/python3.4/logging/handlers.py", line 71, in emit
    if self.shouldRollover(record):
  File "/usr/lib64/python3.4/logging/handlers.py", line 187, in shouldRollover
    msg = "%s\n" % self.format(record)
  File "/usr/lib64/python3.4/logging/__init__.py", line 828, in format
    return fmt.format(record)
  File "/usr/lib64/python3.4/logging/__init__.py", line 565, in format
    record.message = record.getMessage()
  File "/usr/lib64/python3.4/logging/__init__.py", line 328, in getMessage
    msg = msg % self.args
TypeError: not all arguments converted during string formatting
Call stack:
  File "/usr/lib/python3.4/site-packages/eventlet/greenthread.py", line 218, in main
    result = function(*args, **kwargs)
  File "/usr/lib/python3.4/site-packages/eventlet/wsgi.py", line 787, in process_request
    proto.__init__(conn_state, self)
  File "/usr/lib/python3.4/site-packages/eventlet/wsgi.py", line 341, in __init__
    self.handle()
  File "/usr/lib/python3.4/site-packages/eventlet/wsgi.py", line 374, in handle
    self.handle_one_request()
  File "/usr/lib/python3.4/site-packages/eventlet/wsgi.py", line 448, in handle_one_request
    self.handle_one_response()
  File "/usr/lib/python3.4/site-packages/eventlet/wsgi.py", line 545, in handle_one_response
    result = self.application(self.environ, start_response)
  File "/usr/lib/python3.4/site-packages/flask/app.py", line 1997, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/lib/python3.4/site-packages/flask_socketio/__init__.py", line 43, in __call__
    start_response)
  File "/usr/lib/python3.4/site-packages/engineio/middleware.py", line 49, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/lib/python3.4/site-packages/flask/app.py", line 1982, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/lib/python3.4/site-packages/flask/app.py", line 1612, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/lib/python3.4/site-packages/flask/app.py", line 1598, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/usr/lib64/python3.4/site-packages/flask_restful/__init__.py", line 480, in wrapper
    resp = resource(*args, **kwargs)
  File "/usr/lib/python3.4/site-packages/flask/views.py", line 84, in view
    return self.dispatch_request(*args, **kwargs)
  File "/usr/lib64/python3.4/site-packages/flask_restful/__init__.py", line 595, in dispatch_request
    resp = meth(*args, **kwargs)
  File "/opt/elasticHQ/elastichq/common/exceptions.py", line 29, in _request_wrapper
    return functor(*args, **kwargs)
  File "/opt/elasticHQ/elastichq/api/clusters.py", line 121, in post
    enable_ssl=enable_ssl, ca_certs=ca_certs)
  File "/opt/elasticHQ/elastichq/service/ConnectionService.py", line 117, in create_connection
    LOG.error(message, ex)
Message: 'Unable to create connection to: https://acm-elk-tst.panalpina.com:9200'
Arguments: (SSLError(MaxRetryError("HTTPSConnectionPool(host='acm-elk-tst.panalpina.com', port=9200): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)'),))",),),)
cyberjeff-u8t commented 6 years ago

Ok, I'm silly. I found the mistake I made: --ca-certs ca_bundle ca_bundle should contain the intermediate certificate and the root certificate.

n4n0r commented 6 years ago

Hi, +1 here It would be useful to be able to deactivate SSL verification. This is particularly painful when you want to make this work with the container and the non verifiable / publicly known certs ssl endpoint. Thanks !

royrusso commented 5 years ago

Closing this, as it's related to #471