Prototype using a self signed certificate fails as 'certificate verify failed'

[simonsigre]

Upon trying to leverage an internal data-source in a prototype it continues to fail reporting;

root@xxxxxxx:/usr/local/share/ca-certificates# cat /opt/minemeld/log/* | grep -i handshake | head -n 5
2017-08-14T09:40:39 (25678)basepoller._poll ERROR: Exception in polling loop for 20170814-BL01-Out-YYYYYYYY_public_known_bad: [Errno bad handshake] [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
SSLError: [Errno bad handshake] [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
2017-08-14T09:40:41 (25678)basepoller._poll ERROR: Exception in polling loop for 20170814-BL01-Out-YYYYYYYY_public_known_bad: [Errno bad handshake] [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
SSLError: [Errno bad handshake] [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
2017-08-14T10:40:39 (25678)basepoller._poll ERROR: Exception in polling loop for 20170814-BL01-Out-YYYYYYYY_public_known_bad: [Errno bad handshake] [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
root@xxxxxxx:/usr/local/share/ca-certificates# 

The Root + CA certs are installed correctly and

'openssl s_client -showcerts -connect xxxxx.yyyy.local:443'

Reports fine, as does a 'curl -v'

Certificates are installed in ' /usr/local/share/ca-certificates/' and update-ca-certificates was run.

Looking around online there is reference to Python using a separate location '/etc/ssl/certs/ ' however the update-ca-certificates process has correctly populated this with symlinks.

Does anyone have any idea as to how to get Python to trusted a self signed cert? (about to start checking strace!)

[simonsigre]

strace seems to reference this?

/opt/minemeld/engine/current/local/lib/python2.7/site-packages/certifi/cacert.pem

[jtschichold]

Hi @simonsigre, if you place your cert in /opt/minemeld/local/certs/site and then:

/opt/minemeld/engine/current/bin/mm-cacert-merge --config /opt/minemeld/local/certs/cacert-merge-config.yml --dst /opt/minemeld/local/certs/bundle.crt /opt/minemeld/local/certs/site/

It should create a new bundle merging your cert with certifi certs and use it.

[simonsigre]

@jtschichold should that /opt/minemeld/local/certs/ location? Both of our Debian servers where built from the Ansible script however this folder does not exist.

Furthermore cacert-merge-config.yml does not exist (see below)

root@YYYYYYYY:~# 
root@YYYYYYYY:~# cd  /opt/minemeld/local/certs/site
bash: cd: /opt/minemeld/local/certs/site: No such file or directory
root@YYYYYYYY:~# 
root@YYYYYYYY:~# 
root@YYYYYYYY:~# updatedb
root@YYYYYYYY:~# locate cacert-merge-config.yml
root@YYYYYYYY:~# 
root@YYYYYYYY:~# 
root@YYYYYYYY:~# 

[simonsigre]

@jtschichold is it possible this folder was not created as part of the Ansible deployment process? I dont seem to be able to find any cert bundles except for;

/opt/minemeld/www/webui/node_modules/gulp-sass/node_modules/node-sass/node_modules/node-gyp/test/fixtures/ca-bundle.crt

Could it be using this?

/opt/minemeld/engine/current/lib/python2.7/site-packages/requests/cacert.pem

[jtschichold]

@simonsigre yes, you are right. I have to update the Ansible playbook to create that directory. You can do it easily by:

sudo -u minemeld mkdir -p /opt/minemeld/local/certs/site/
sudo -u minemeld touch /opt/minemeld/local/certs/cacert-merge-config.yml
[copy your CA file in /opt/minemeld/local/certs/site]
sudo -u /opt/minemeld/engine/current/bin/mm-cacert-merge --config /opt/minemeld/local/certs/cacert-merge-config.yml --dst /opt/minemeld/local/certs/bundle.crt /opt/minemeld/local/certs/site/

[simonsigre]

I assume this line

sudo -u /opt/minemeld/engine/current/bin/mm-cacert-merge --config /opt/minemeld/local/certs/cacert-merge-config.yml --dst /opt/minemeld/local/certs/bundle.crt /opt/minemeld/local/certs/site/

Should start out

sudo -u minemeld

[simonsigre]

The following was observed

root@xxxxxxxxxx:~# sudo -u minemeld /opt/minemeld/engine/current/bin/mm-cacert-merge --config /opt/minemeld/local/certs/cacert-merge-config.yml --dst /opt/minemeld/local/certs/bundle.crt /opt/minemeld/local/certs/site/
2017-08-17T11:56:17 (31400)cacert_merge.main INFO: config: {'cafile': ['/opt/minemeld/local/certs/site/'], 'dst': '/opt/minemeld/local/certs/bundle.crt', 'config': '/opt/minemeld/local/certs/cacert-merge-config.yml', 'no_merge_certifi': False}
WARNING: old python version (< 2.7.9) - certificate verification not performed
WARNING: old python version (< 2.7.9) - certificate verification not performed
WARNING: old python version (< 2.7.9) - certificate verification not performed

And I can now see those certificates added into '/opt/minemeld/local/certs/bundle.crt' ... however.. I still receive the same error message.

Should '/opt/minemeld/local/certs/cacert-merge-config.yml' contain any configuration? How does MM know to check the newly created '/opt/minemeld/local/certs/bundle.crt' ?

[jtschichold]

Hi @simonsigre, right, you should add

MM_CA_BUNDLE="/opt/minemeld/local/certs/bundle.crt"

to the environment of minemeld-engine in /opt/minemeld/supervisor/config/conf.d/minemeld-engine.conf, in the environment section. And then restart minemeld service.

Or export:

REQUESTS_CA_BUNDLE="/opt/minemeld/local/certs/bundle.crt"

from /etc/default/minemeld

[simonsigre]

@jtschichold thank you this worked. Will all of the above be included as part of an upcoming release?

[jtschichold]

Hi @simonsigre, yes, we will fix this. If you already have PR for minemeld-ansible we will be happy to accept it.

Thanks for troubleshooting this !