search

cloudfoundry-community / logsearch-for-cloudfoundry

A Logsearch addon that customises Logsearch to work with Cloud Foundry data
Apache License 2.0
49 stars 58 forks source link

Ensure that upload-kibana-objects trusts system CA certs #321

Closed peterellisjones closed 4 years ago

peterellisjones commented 5 years ago

Hi logsearch-for-cloudfoundry team,

By default the python3 requests library does not trust the system CA certs. It is quite common to have custom certificates on the Cloud Foundry routers which are signed by local CA certificates that are installed on each bosh-deployed VM (for example via ca_certs job or when configuring the director).

This fixes an issue where the upload-kibana-objects errand fails because the python3 requests library does not load custom CAs that have been installed as system root certificates, and therefore gets an [SSL: CERTIFICATE_VERIFY_FAILED] error when attempting to make requests to the CF API.

I have verified that this works by updating the script and running /var/vcap/jobs/upload-kibana-objects/bin/run successfully.

kind regards,

Pete

axelaris commented 4 years ago

Hi @peterellisjones, thank you for contribution. While deploying on PCF, I have a bunch of waring like that, even with your PR applied:

/var/vcap/packages/python3/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
INFO:root:Object /var/vcap/jobs/upload-kibana-objects/kibana-objects/search/platform-haproxy.json Uploaded Successfully
/var/vcap/packages/python3/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
/var/vcap/packages/python3/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
INFO:root:Object /var/vcap/jobs/upload-kibana-objects/kibana-objects/search/platform-all-overview.json Uploaded Successfully

Is it possible to do anything about that?

mymasse commented 4 years ago

Isn't the InsecureRequestWarning because you have skip_ssl_validation to true?

By the way applying this fix manually also solves this issue for us.

axelaris commented 4 years ago

Thank you @mymasse !

mymasse commented 4 years ago

Thanks @peterellisjones for the PR!