Closed simonsigre closed 7 years ago
strace seems to reference this?
/opt/minemeld/engine/current/local/lib/python2.7/site-packages/certifi/cacert.pem
Hi @simonsigre, if you place your cert in /opt/minemeld/local/certs/site and then:
/opt/minemeld/engine/current/bin/mm-cacert-merge --config /opt/minemeld/local/certs/cacert-merge-config.yml --dst /opt/minemeld/local/certs/bundle.crt /opt/minemeld/local/certs/site/
It should create a new bundle merging your cert with certifi certs and use it.
@jtschichold should that /opt/minemeld/local/certs/ location? Both of our Debian servers where built from the Ansible script however this folder does not exist.
Furthermore cacert-merge-config.yml does not exist (see below)
root@YYYYYYYY:~#
root@YYYYYYYY:~# cd /opt/minemeld/local/certs/site
bash: cd: /opt/minemeld/local/certs/site: No such file or directory
root@YYYYYYYY:~#
root@YYYYYYYY:~#
root@YYYYYYYY:~# updatedb
root@YYYYYYYY:~# locate cacert-merge-config.yml
root@YYYYYYYY:~#
root@YYYYYYYY:~#
root@YYYYYYYY:~#
@jtschichold is it possible this folder was not created as part of the Ansible deployment process? I dont seem to be able to find any cert bundles except for;
/opt/minemeld/www/webui/node_modules/gulp-sass/node_modules/node-sass/node_modules/node-gyp/test/fixtures/ca-bundle.crt
Could it be using this?
/opt/minemeld/engine/current/lib/python2.7/site-packages/requests/cacert.pem
@simonsigre yes, you are right. I have to update the Ansible playbook to create that directory. You can do it easily by:
sudo -u minemeld mkdir -p /opt/minemeld/local/certs/site/
sudo -u minemeld touch /opt/minemeld/local/certs/cacert-merge-config.yml
[copy your CA file in /opt/minemeld/local/certs/site]
sudo -u /opt/minemeld/engine/current/bin/mm-cacert-merge --config /opt/minemeld/local/certs/cacert-merge-config.yml --dst /opt/minemeld/local/certs/bundle.crt /opt/minemeld/local/certs/site/
I assume this line
sudo -u /opt/minemeld/engine/current/bin/mm-cacert-merge --config /opt/minemeld/local/certs/cacert-merge-config.yml --dst /opt/minemeld/local/certs/bundle.crt /opt/minemeld/local/certs/site/
Should start out
sudo -u minemeld
The following was observed
root@xxxxxxxxxx:~# sudo -u minemeld /opt/minemeld/engine/current/bin/mm-cacert-merge --config /opt/minemeld/local/certs/cacert-merge-config.yml --dst /opt/minemeld/local/certs/bundle.crt /opt/minemeld/local/certs/site/
2017-08-17T11:56:17 (31400)cacert_merge.main INFO: config: {'cafile': ['/opt/minemeld/local/certs/site/'], 'dst': '/opt/minemeld/local/certs/bundle.crt', 'config': '/opt/minemeld/local/certs/cacert-merge-config.yml', 'no_merge_certifi': False}
WARNING: old python version (< 2.7.9) - certificate verification not performed
WARNING: old python version (< 2.7.9) - certificate verification not performed
WARNING: old python version (< 2.7.9) - certificate verification not performed
And I can now see those certificates added into '/opt/minemeld/local/certs/bundle.crt' ... however.. I still receive the same error message.
Should '/opt/minemeld/local/certs/cacert-merge-config.yml' contain any configuration? How does MM know to check the newly created '/opt/minemeld/local/certs/bundle.crt' ?
Hi @simonsigre, right, you should add
MM_CA_BUNDLE="/opt/minemeld/local/certs/bundle.crt"
to the environment of minemeld-engine in /opt/minemeld/supervisor/config/conf.d/minemeld-engine.conf, in the environment
section. And then restart minemeld service.
Or export:
REQUESTS_CA_BUNDLE="/opt/minemeld/local/certs/bundle.crt"
from /etc/default/minemeld
@jtschichold thank you this worked. Will all of the above be included as part of an upcoming release?
Hi @simonsigre, yes, we will fix this. If you already have PR for minemeld-ansible we will be happy to accept it.
Thanks for troubleshooting this !
Upon trying to leverage an internal data-source in a prototype it continues to fail reporting;
The Root + CA certs are installed correctly and
'openssl s_client -showcerts -connect xxxxx.yyyy.local:443'
Reports fine, as does a 'curl -v'
Certificates are installed in ' /usr/local/share/ca-certificates/' and update-ca-certificates was run.
Looking around online there is reference to Python using a separate location '/etc/ssl/certs/ ' however the update-ca-certificates process has correctly populated this with symlinks.
Does anyone have any idea as to how to get Python to trusted a self signed cert? (about to start checking strace!)