search

TACC-Cloud / tapis-cli

Next-generation Tapis CLI
BSD 3-Clause "New" or "Revised" License
14 stars 5 forks source link

Tapis CLI fails on self-signed certificates, even when TAPIS_CLI_SSL_VERIFY is set to False #334

Closed reagank closed 4 years ago

reagank commented 4 years ago

This is with our self-hosted tenant. I've used 'tapis config set TAPIS_CLI_SSL_VERIFY False', but when I run many commands they'll fail with an error about self-signed certificates.

To start, here's my tapis config values:

Setting Value
TAPIS_CLI_DATE_FORMAT YYYYMMDDTHHmmssZZ
TAPIS_CLI_DEBUG_MODE True
TAPIS_CLI_DISPLAY_AUP True
TAPIS_CLI_DISPLAY_COC True
TAPIS_CLI_FIT_WIDTH True
TAPIS_CLI_GA_DISABLE True
TAPIS_CLI_GA_VISITOR 1280252808
TAPIS_CLI_GIT_NAMESPACE ylb9
TAPIS_CLI_GIT_TOKEN None
TAPIS_CLI_GIT_USERNAME ylb9
TAPIS_CLI_LOG_LEVEL DEBUG
TAPIS_CLI_PAGE_SIZE 100
TAPIS_CLI_PREF_DEPLOYMENT_SYSTEM None
TAPIS_CLI_PREF_EXECUTION_SYSTEM None
TAPIS_CLI_PREF_STORAGE_SYSTEM None
TAPIS_CLI_PROJECT_GIT_CREATE_REMOTE False
TAPIS_CLI_PROJECT_GIT_FIRST_COMMIT False
TAPIS_CLI_PROJECT_GIT_INIT True
TAPIS_CLI_REGISTRY_NAMESPACE None
TAPIS_CLI_REGISTRY_PASSWORD None
TAPIS_CLI_REGISTRY_URL https://index.docker.io
TAPIS_CLI_REGISTRY_USERNAME None
TAPIS_CLI_RESPONSE_FORMAT table
TAPIS_CLI_SHOW_CURL True
TAPIS_CLI_SHOW_LEGACY_INTERACTIVE_HELP False
TAPIS_CLI_VERBOSE_ERRORS True
TAPIS_CLI_VERIFY_SSL False
TAPIS_DEFAULT_TENANT_ID cdctapis
TAPIS_PY_SHOW_CURL True
TAPIS_TENANTS_URL https://tapis-auth-prod.biotech.cdc.gov/tenants/
_ENV_PATH /scicomp/home/ylb9/.env

When I run 'tapis auth init --interactive' and follow the prompts, the process ends by throwing an error (when making a call to profiles), but does successfully obtain a token. Here's the error it gives

  (base) ylb9@scbs-dev-05:tapis-cli (main)> tapis auth init --interactive
Configure Tapis API access:
===========================
/scicomp/home/ylb9/miniconda3/lib/python3.7/site-packages/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made to host 'tapis-auth-prod.biotech.cdc.gov'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning,
+--------------+-----------------+------------------------------------------+
|     Name     |   Description   |                   URL                    |
+--------------+-----------------+------------------------------------------+
| cdctapisprod | CDC Tapis [ENV] | https://tapis-auth-prod.biotech.cdc.gov/ |
+--------------+-----------------+------------------------------------------+
Enter a tenant name [cdctapisprod]: 
/scicomp/home/ylb9/miniconda3/lib/python3.7/site-packages/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made to host 'tapis-auth-prod.biotech.cdc.gov'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning,
cdctapisprod username: admin
cdctapisprod password for admin: 
/scicomp/home/ylb9/miniconda3/lib/python3.7/site-packages/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made to host 'tapis-auth-prod.biotech.cdc.gov'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning,
curl -X DELETE -H 'Accept: */*' -H 'Accept-Encoding: gzip, deflate' -H 'Authorization: Basic YWRtaW46YTJtMW5wQHNz' -H 'Connection: keep-alive' -H 'Content-Length: 0' -H 'User-Agent: python-requests/2.24.0' https://tapis-auth-prod.biotech.cdc.gov/clients/v2/_cli-cdctapisprod-admin-ncbs-dev-09.biotech.cdc.gov
/scicomp/home/ylb9/miniconda3/lib/python3.7/site-packages/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made to host 'tapis-auth-prod.biotech.cdc.gov'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning,
curl -X POST -H 'Accept: */*' -H 'Accept-Encoding: gzip, deflate' -H 'Authorization: Basic YWRtaW46YTJtMW5wQHNz' -H 'Connection: keep-alive' -H 'Content-Length: 144' -H 'Content-type: application/json' -H 'User-Agent: python-requests/2.24.0' -d '{"clientName": "_cli-cdctapisprod-admin-ncbs-dev-09.biotech.cdc.gov", "description": "Generated by ylb9@158.111.44.177 at 2020-08-06T19:54:07Z"}' https://tapis-auth-prod.biotech.cdc.gov/clients/v2/
/scicomp/home/ylb9/miniconda3/lib/python3.7/site-packages/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made to host 'tapis-auth-prod.biotech.cdc.gov'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning,
/scicomp/home/ylb9/miniconda3/lib/python3.7/site-packages/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made to host 'tapis-auth-prod.biotech.cdc.gov'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning,
/scicomp/home/ylb9/miniconda3/lib/python3.7/site-packages/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made to host 'tapis-auth-prod.biotech.cdc.gov'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning,
curl -X GET -H 'Accept: */*' -H 'Accept-Encoding: gzip, deflate' -H 'Authorization: Bearer ccfb0caa24ceb9e7adefb8d51805366' -H 'Connection: keep-alive' -H 'User-Agent: python-requests/2.24.0' https://tapis-auth-prod.biotech.cdc.gov/profiles/v2/me
Tapis client was unable to make an authenticated API call.
Failed to load Tapis API client. Run 'tapis auth init [--interactive]' to resolve this.

You can see that the actual auth part worked, because there's a token in the request. Running 'tapis auth show' gives me the token and the expiration date like I expect it to. It's the request to profiles that fails. If I run 'tapis profiles show ylb9' that works correctly. It also looks like all of the default systems are set correctly when I use 'tapis info vars list'.

When I try to run 'tapis systems list' and 'tapis apps list' it fails because of self-signed certificates. This is the error for systems:

/scicomp/home/ylb9/miniconda3/lib/python3.7/site-packages/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made to host 'tapis-auth-prod.biotech.cdc.gov'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning,
HTTPSConnectionPool(host='tapis-auth-prod.biotech.cdc.gov', port=443): Max retries exceeded with url: //systems/v2?limit=100&offset=0 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1076)')))

The error for apps is the same. What other information would help troubleshoot this issue?

Desktop (please complete the following information):