Closed Petorus closed 3 weeks ago
Thanks for your feedback. Makes sense. I will add it in a next release.
I have a valid certificate (with wildcards for e.g. "*.test.lab" and Grafana is runngin on e.g. "grafana.test.lab" which internally resolves to 172.16.0.102.
I don't know much about ruby.
It looks like the connection is using the IP address to validate the SSL certificate against.
SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
The SSL cert is only valid for the DNS name (e.g. grafana.test.lab) and not 172.16.0.102.
Quick fix
replace:
@http.verify_mode = OpenSSL::SSL::VERIFY_PEER
with:
@http.verify_mode = OpenSSL::SSL::VERIFY_NONE
in lib/grafana/webrequest.rb
I would like to second the request for a "-sslCheck=fals" option.
Greetings, Bjoern
@bolausson did you configure the reporter to use the IP address or the DNS name? It should be working, if you use the DNS name there.
When I did run the wizzard, I added the DNS name. I'll double check it.
Yes, it already starts throwing errors during the wizzard phase (I replaced my original domain with "grafana.test.lab" in the below output:
/home/bolausson/.local/share/gem/ruby/3.0.0/bin/ruby-grafana-reporter -w
This wizard will guide you through an initial configuration for the ruby-grafana-reporter. The configuration file will be created in the current folder. Please make sure to specify necessary paths either with a relative or an absolute path properly.
Wizard is creating configuration file 'grafana_reporter.config'.
Specify port on which reporter shall run [8815]:
Specify grafana host [http://localhost:3000]: https://grafana.test.lab:3000
Testing connection to 'https://grafana.test.lab:3000' _without_ API key...
SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
done.
Grafana could not be accessed at 'https://grafana.test.lab:3000'. Do you want to use an [a]pi key, [r]e-enter url, or [i]gnore and proceed? [aRi]: a
Enter API key: glsa_XXXX
Testing connection to 'https://grafana.test.lab:3000' _with_ API key...
SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
done.
Grafana could not be accessed at 'https://grafana.test.lab:3000'. Do you want to use an [a]pi key, [r]e-enter url, or [i]gnore and proceed? [aRi]: i
Specify path where templates shall be stored [./templates]:
I see. Though, I don't have a clue, why it resolves to an IP address, the issue might be resolved by adding the --ssl-cert
parameter with the path to the SSL certificate. This is meant to support then also self-signed certificates.
You may want to call ruby-grafana-reporter -w --ssl-cert <<your_cert>>
, which should then work for your already (also without the manual fix of SSL_VERIFY_NONE). Please note, that you will have to use this parameter from then on in any call of the reporter.
Anyway, I want to mention two things here:
1) In the current release, I recognized that setting a global ssl-cert
does not make sense, as for multiple grafana instances in one configuration, it can happen, that multiple SSL certificates have to be configured. That is why, I will remove this command line parameter in the next release and instead allow it to be configured in the wizard/configuration file.
2) I still stick to what I said: I will add an option in the wizard/configuration to allow disabling SSL verification. Stay tuned :-)
Doesn't seem to work for me. Since it is internal only, I am more than happy with a option to just ignore a SSL cert mismatch.
Trying with the pem file:
14:06:18 [~/github/ruby-grafana-reporter/ssl-cert]
bo@monitoring $ /home/bolausson/.local/share/gem/ruby/3.0.0/bin/ruby-grafana-reporter -w --ssl-cert /home/bolausson/github/ruby-grafana-reporter/ssl-cert/lab.pem
This wizard will guide you through an initial configuration for the ruby-grafana-reporter. The configuration file will be created in the current folder. Please make sure to specify necessary paths either with a relative or an absolute path properly.
Wizard is creating configuration file 'grafana_reporter.config'.
Specify port on which reporter shall run [8815]: 8816
Specify grafana host [http://localhost:3000]: https://grafana.test.lab:3000
Testing connection to 'https://grafana.test.lab:3000' _without_ API key...
SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
done.
Grafana could not be accessed at 'https://grafana.test.lab:3000'. Do you want to use an [a]pi key, [r]e-enter url, or [i]gnore and proceed? [aRi]: a
Enter API key: glsa_Xj1psrRiKrc8Yy6oqnoeruoK8C8rGYGG_b1c3b3d3
Testing connection to 'https://grafana.test.lab:3000' _with_ API key...
SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
done.
Grafana could not be accessed at 'https://grafana.test.lab:3000'. Do you want to use an [a]pi key, [r]e-enter url, or [i]gnore and proceed? [aRi]:
Trying with the key file (for what it is worth and kind of expected to fail)
14:05:06 [~/github/ruby-grafana-reporter/ssl-cert]
bo@monitoring $ /home/bolausson/.local/share/gem/ruby/3.0.0/bin/ruby-grafana-reporter -w --ssl-cert /home/bolausson/github/ruby-grafana-reporter/ssl-cert/lab.key
This wizard will guide you through an initial configuration for the ruby-grafana-reporter. The configuration file will be created in the current folder. Please make sure to specify necessary paths either with a relative or an absolute path properly.
Wizard is creating configuration file 'grafana_reporter.config'.
Specify port on which reporter shall run [8815]: 8816
Specify grafana host [http://localhost:3000]: https://grafana.test.lab:3000
Testing connection to 'https://grafana.test.lab:3000' _without_ API key...
X509_LOOKUP_load_file: no certificate or crl found
done.
Grafana could not be accessed at 'https://grafana.test.lab:3000'. Do you want to use an [a]pi key, [r]e-enter url, or [i]gnore and proceed? [aRi]: a
Enter API key: glsa_Xj1psrRiKrc8Yy6oqnoeruoK8C8rGYGG_b1c3b3d3
Testing connection to 'https://grafana.test.lab:3000' _with_ API key...
X509_LOOKUP_load_file: no certificate or crl found
done.
Grafana could not be accessed at 'https://grafana.test.lab:3000'. Do you want to use an [a]pi key, [r]e-enter url, or [i]gnore and proceed? [aRi]:
Version with new functionality is released. Please check it out and close the issue, if it fits your needs.
How do I disable the SSL check?
--help doesn't show an option:
$ /home/bolausson/.local/share/gem/ruby/3.0.0/bin/ruby-grafana-reporter -v
0.8.0
$ /home/bolausson/.local/share/gem/ruby/3.0.0/bin/ruby-grafana-reporter --help
Usage: /usr/bin/ruby3.0 /home/bolausson/.local/share/gem/ruby/3.0.0/bin/ruby-grafana-reporter [options]
-c, --config CONFIG_FILE_NAME Specify custom configuration file, instead of grafana_reporter.config.
-r, --register FILE Register a custom plugin, e.g. your own Datasource implementation
-d, --debug LEVEL Specify detail level: FATAL, ERROR, WARN, INFO, DEBUG.
-o, --output FILE Output filename if only a single file is rendered
-s, --set VARIABLE,VALUE Set a variable value, which will be passed to the rendering
--test GRAFANA_INSTANCE test current configuration against given GRAFANA_INSTANCE
-t, --template TEMPLATE Render a single ASCIIDOC template to PDF and exit
-w, --wizard Configuration wizard to prepare environment for the reporter.
-v, --version Version information
-h, --help Show this message
I am asking, because SSL still doesn't work for me:
I, [2024-06-09T19:41:31.188981 #229634] INFO -- : Server listening on port 8815...
I, [2024-06-09T19:42:42.993927 #229634] INFO -- : 1 report(s) in progress: 0% (running 0 secs)
I, [2024-06-09T19:42:42.994018 #229634] INFO -- : Report started at 2024-06-09 19:42:42 +0000
I, [2024-06-09T19:42:42.994044 #229634] INFO -- : You are running ruby-grafana-reporter version 0.8.0.
E, [2024-06-09T19:42:44.691937 #229634] ERROR -- : SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
E, [2024-06-09T19:42:44.695600 #229634] ERROR -- : SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
E, [2024-06-09T19:42:44.695659 #229634] ERROR -- : GrafanaError: The specified dashboard 'fdn1njnosc83ke' does not exist. (Grafana::DashboardDoesNotExistError)
E, [2024-06-09T19:42:44.698963 #229634] ERROR -- : SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
E, [2024-06-09T19:42:44.698995 #229634] ERROR -- : GrafanaError: The specified dashboard 'fdn1njnosc83ke' does not exist. (Grafana::DashboardDoesNotExistError)
E, [2024-06-09T19:42:44.702443 #229634] ERROR -- : SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
E, [2024-06-09T19:42:44.702476 #229634] ERROR -- : GrafanaError: The specified dashboard 'fdn1njnosc83ke' does not exist. (Grafana::DashboardDoesNotExistError)
E, [2024-06-09T19:42:44.714779 #229634] ERROR -- : SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
E, [2024-06-09T19:42:44.714827 #229634] ERROR -- : GrafanaError: The specified dashboard 'fdn1njnosc83ke' does not exist. (Grafana::DashboardDoesNotExistError)
E, [2024-06-09T19:42:44.718025 #229634] ERROR -- : SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
E, [2024-06-09T19:42:44.718053 #229634] ERROR -- : GrafanaError: The specified dashboard 'fdn1njnosc83ke' does not exist. (Grafana::DashboardDoesNotExistError)
I, [2024-06-09T19:42:44.834953 #229634] INFO -- : Report creation ended after 2 seconds with status 'finished'
I see - you have to add "ssl-disable-verify: true" to the configuration file - there is no command line flag:
grafana:
default:
host: https://grafana.test.lab:3000
api_key: XyZ
ssl-disable-verify: true
Adding it works as expected 👍 Thanks a lot!
Perfect, thanks for your feedback. @Petorus, feel free to reopen the case, if you still experience problems.
Describe the issue SSL verification error when Grafana instance is in https with a self-signed certificate. is it possible to add a '-sslCheck=false' option, as in the 'IzakMarais' project ? I try with the option '--ssl-cert' but i have this error : 'C:/Users/xxxxxxxxxx/AppData/Local/Temp/ocrED8C.tmp/lib/ruby/2.7.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLEr ror)'
Application call
Configuration file
Environment (please complete the following information):
Thanks for your help