FutureTimeoutError connecting to SR-OS over TLS

[Daxx13]

Hi,

I just started working with gNMI and TLS using a SR-OS platform. The basic setup seems to be working, as gnmic returns the correct output when reaching the test device. This is also working without specifying the --tls-ca cert but with --skip-verify:

gnmic -a [hostname] -u [user] -p [passwd] get --path /state/system/platform --tls-ca certificate.ca-bundle
[
  {
    "source": "[source]",
    "timestamp": 1651586070618194298,
    "time": "2022-05-03T15:54:30.618194298+02:00",
    "updates": [
      {
        "Path": "state/system/platform",
        "values": {
          "state/system/platform": "7750 SR-7"
        }
      }
    ]
  }
]

But, using pyGNMI from the same machine, same connection data, is not working for me:

if __name__ == '__main__':
    with gNMIclient( target=host, username=username, password=password, 
        path_root=path_root_cert, 
        debug=True
        ) as gc:

Traceback (most recent call last):
  File "/gRPC_tests.py", line 37, in <module>
    with gNMIclient( target=host, username=username, password=password, 
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/pygnmi/client.py", line 94, in __enter__
    return self.connect()
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/pygnmi/client.py", line 146, in connect
    self.wait_for_connect(timeout)
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/pygnmi/client.py", line 156, in wait_for_connect
    grpc.channel_ready_future(self.__channel).result(timeout=timeout)
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/grpc/_utilities.py", line 139, in result
    self._block(timeout)
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/grpc/_utilities.py", line 85, in _block
    raise grpc.FutureTimeoutError()

Tried in some other ways, without insecure parameter, etc. Debug flag does not give more info. I can see traffic exchange between my machine and the gNMI server.

FYI: Unencrypted connections (w/o using TLS) worked just fine.

Thanks!

[akarneliuk]

Hello @Daxx13 ,

thanks for raising an issue. Could you please advise a number of things?

• Are you using IP address or FQDN to connect to the server?
• How is your certificate created? Does it use hostname?
• Did you try to use override feature?

Best, Anton

[Daxx13]

Hi @akarneliuk,

• i'm using fqdn both in gnmic and in pygNMI.
• i'm using a valid CA wildcard certificate (covers: *.company.com, company.com), same as we use for web servers.
• Tried the ovverride option with some values (client address, server address, server hostname, hostname.company.com, company.com), but not sure if correctly used.

Thanks!

[Daxx13]

Hi,

Seems to be a ciphers thing with grpc, not directly related with this project, I made it work setting this environment variable:

os.environ["GRPC_SSL_CIPHER_SUITES"] = "HIGH"

Thanks!