akarneliuk / pygnmi

The pure Python implementation of the gNMI client.
https://training.karneliuk.com
BSD 3-Clause "New" or "Revised" License
129 stars 44 forks source link

Proper certificate usage with pygnmi #141

Closed ianbarrere closed 11 months ago

ianbarrere commented 1 year ago

Is it possible to use anything other than a self signed certificate with gNMIclient? I have gotten it to work using a self signed certificate that I generated on my switch (Cisco Nexus 9k), but I cannot make it work with a "proper" certificate, either one signed by our local CA for the device itself or a wildcard.

The certificate seems to be in good order, I was able to import the pkcs12 on the device successfully and using openssl to verify the certificate locally and also via a channel to the device on port 50051 works. Additionally gnmic also works, but gNMIclient does not. I can, for example, use the following gnmic command:

gnmic -a switch.example.com:50051 -u admin -p admin --tls-ca root.ca get --path 'System/bgp-items'

But the following code results in a rather generic grpc.FutureTimeoutError error:

from pygnmi.client import gNMIclient

handle = gNMIclient(
    ("switch.example.com", 50051),
    username="admin",
    password="admin",
    path_root="./root.ca",
)
with handle as session:
    session.get(["System/bgp-items"])

I have tried using many different combinations of path_cert, path_root, and path_key pointing to the respective elements of the certificate and also the override option and I get basically the same error every time.

ianbarrere commented 12 months ago

The strange thing that I've discovered is that this works from my laptop, but not from a VM in our colo environment. I again have tried all different combinations of signatures for gNMIclient, and specifying the path to our wildcard PEM in path_cert works from my laptop without needing to specify path_root. I'm assuming this is because my laptop is part of the same domain as the CA, so the CA certificates are trusted already. From the VM it doesn't work, but it appears that the CA is trusted from there as well, and in any case providing the CA cert via path_root also doesn't work...

akarneliuk commented 11 months ago

Hey @ianbarrere , Unfortunately, it is a bit difficult to answer your question without any data. As you mentioned in the second post yourself, pygnmi works perfectly with any kind of certificates, either self-signed or not. As a recommendation, what I and many customers do in the prod environment, you would specify the root certificate in path_root and not to specify cert and path for a specific device to avoid changing your code for every device. One of the things to compare between your "proper" cert and self-signed is to check, which ciphers are supported in both. Do they overlap? Best, Anton

ianbarrere commented 11 months ago

Yeah, this is surely something wrong with my environment rather than a problem with gNMIclient as I originally thought, so we can close this issue. I'll try to fix on my environment if it comes up again.

Thank you for maintaining this project btw, it's been a great help for automation at my organization.