Closed remingtonc closed 5 years ago
Trying to reconcile how to use certs with gRPC and IOS XE specifically. I believe the use case presented with IOS XE is more comprehensive than IOS XR and NX-OS thus this is a good exercise if not frustrating.
Following IOS XE 16.12.x gNMI documentation.
>>> client = ClientBuilder('x').set_secure_from_file('../scripts/certs/client.crt', '../scripts/certs/client.key', '../scripts/certs/rootCA.pem').set_ssl_target_override().set_call_authentication('x', 'x').construct() WARNING:root:Overriding SSL option from certificate could increase MITM susceptibility! >>> print(client.capabilities()) E1008 14:49:11.385280000 4671555008 ssl_transport_security.cc:690] Invalid private key. E1008 14:49:11.385306000 4671555008 ssl_security_connector.cc:112] Handshaker factory creation failed with TSI_INVALID_ARGUMENT. E1008 14:49:11.385314000 4671555008 secure_channel_create.cc:132] Failed to create secure subchannel for secure name 'x:9339' E1008 14:49:11.385322000 4671555008 secure_channel_create.cc:50] Failed to create channel args during subchannel creation. Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/Users/remcampb/Development/projects/cisco-gnmi-python/src/cisco_gnmi/client.py", line 112, in capabilities response = self.service.Capabilities(message) File "/Users/remcampb/.local/share/virtualenvs/cisco-gnmi-python-QTeA_bEB/lib/python3.7/site-packages/grpc/_channel.py", line 604, in __call__ return _end_unary_response_blocking(state, call, False, None) File "/Users/remcampb/.local/share/virtualenvs/cisco-gnmi-python-QTeA_bEB/lib/python3.7/site-packages/grpc/_channel.py", line 506, in _end_unary_response_blocking raise _Rendezvous(state, None, None, deadline) grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with: status = StatusCode.UNAVAILABLE details = "Empty update" debug_error_string = "{"created":"@1570571351.385334000","description":"Failed to pick subchannel","file":"src/core/ext/filters/client_channel/client_channel.cc","file_line":3876,"referenced_errors":[{"created":"@1570571351.385331000","description":"Empty update","file":"src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc","file_line":200,"grpc_status":14}]}" >
Potentially helpful: https://github.com/grpc/grpc/issues/9593
Blocks #9
Documentation is correct, ensure FQDN/hostname in device certificate is being used/resolves.
Trying to reconcile how to use certs with gRPC and IOS XE specifically. I believe the use case presented with IOS XE is more comprehensive than IOS XR and NX-OS thus this is a good exercise if not frustrating.
Following IOS XE 16.12.x gNMI documentation.
Potentially helpful: https://github.com/grpc/grpc/issues/9593
Blocks #9