cisco-ie / cisco-gnmi-python

CLI and library wrapping gNMI functionality to ease usage with Cisco implementations in Python programs.
https://pypi.org/project/cisco-gnmi/
Apache License 2.0
40 stars 18 forks source link

IOS XE/gRPC Certificate Usage #18

Closed remingtonc closed 5 years ago

remingtonc commented 5 years ago

Trying to reconcile how to use certs with gRPC and IOS XE specifically. I believe the use case presented with IOS XE is more comprehensive than IOS XR and NX-OS thus this is a good exercise if not frustrating.

Following IOS XE 16.12.x gNMI documentation.

>>> client = ClientBuilder('x').set_secure_from_file('../scripts/certs/client.crt', '../scripts/certs/client.key', '../scripts/certs/rootCA.pem').set_ssl_target_override().set_call_authentication('x', 'x').construct()
WARNING:root:Overriding SSL option from certificate could increase MITM susceptibility!
>>> print(client.capabilities())
E1008 14:49:11.385280000 4671555008 ssl_transport_security.cc:690]     Invalid private key.
E1008 14:49:11.385306000 4671555008 ssl_security_connector.cc:112]     Handshaker factory creation failed with TSI_INVALID_ARGUMENT.
E1008 14:49:11.385314000 4671555008 secure_channel_create.cc:132]      Failed to create secure subchannel for secure name 'x:9339'
E1008 14:49:11.385322000 4671555008 secure_channel_create.cc:50]       Failed to create channel args during subchannel creation.
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/remcampb/Development/projects/cisco-gnmi-python/src/cisco_gnmi/client.py", line 112, in capabilities
    response = self.service.Capabilities(message)
  File "/Users/remcampb/.local/share/virtualenvs/cisco-gnmi-python-QTeA_bEB/lib/python3.7/site-packages/grpc/_channel.py", line 604, in __call__
    return _end_unary_response_blocking(state, call, False, None)
  File "/Users/remcampb/.local/share/virtualenvs/cisco-gnmi-python-QTeA_bEB/lib/python3.7/site-packages/grpc/_channel.py", line 506, in _end_unary_response_blocking
    raise _Rendezvous(state, None, None, deadline)
grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with:
    status = StatusCode.UNAVAILABLE
    details = "Empty update"
    debug_error_string = "{"created":"@1570571351.385334000","description":"Failed to pick subchannel","file":"src/core/ext/filters/client_channel/client_channel.cc","file_line":3876,"referenced_errors":[{"created":"@1570571351.385331000","description":"Empty update","file":"src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc","file_line":200,"grpc_status":14}]}"
>

Potentially helpful: https://github.com/grpc/grpc/issues/9593

Blocks #9

remingtonc commented 5 years ago

Documentation is correct, ensure FQDN/hostname in device certificate is being used/resolves.