Add SSL disable check

[Petorus]

Describe the issue SSL verification error when Grafana instance is in https with a self-signed certificate. is it possible to add a '-sslCheck=false' option, as in the 'IzakMarais' project ? I try with the option '--ssl-cert' but i have this error : 'C:/Users/xxxxxxxxxx/AppData/Local/Temp/ocrED8C.tmp/lib/ruby/2.7.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLEr ror)'

Application call

• type of call : webservice and single-run

Configuration file

• created with configuration wizard

Environment (please complete the following information):

• OS [e.g. Windows 10]: 10
• Grafana version [e.g. 6.3.4]: 9.0.5
• Environment [e.g. source, gem, docker or windows-exe]: windows-exe
• Ruby Version, if source or gem environment [e.g. 2.3.7]:
• Reporter version [e.g. 0.3.0]: v.0.6.6

Thanks for your help

[divinity666]

Thanks for your feedback. Makes sense. I will add it in a next release.

[bolausson]

I have a valid certificate (with wildcards for e.g. "*.test.lab" and Grafana is runngin on e.g. "grafana.test.lab" which internally resolves to 172.16.0.102.

I don't know much about ruby. It looks like the connection is using the IP address to validate the SSL certificate against. SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)

The SSL cert is only valid for the DNS name (e.g. grafana.test.lab) and not 172.16.0.102.

Quick fix replace: @http.verify_mode = OpenSSL::SSL::VERIFY_PEER with: @http.verify_mode = OpenSSL::SSL::VERIFY_NONE in lib/grafana/webrequest.rb

https://github.com/divinity666/ruby-grafana-reporter/blob/9a4c385906c83aaadef4b9834ca2abab00262d68/lib/grafana/webrequest.rb#L62C7-L62C52

I would like to second the request for a "-sslCheck=fals" option.

Greetings, Bjoern

[divinity666]

@bolausson did you configure the reporter to use the IP address or the DNS name? It should be working, if you use the DNS name there.

[bolausson]

When I did run the wizzard, I added the DNS name. I'll double check it.

[bolausson]

Yes, it already starts throwing errors during the wizzard phase (I replaced my original domain with "grafana.test.lab" in the below output:

/home/bolausson/.local/share/gem/ruby/3.0.0/bin/ruby-grafana-reporter -w
This wizard will guide you through an initial configuration for the ruby-grafana-reporter. The configuration file will be created in the current folder. Please make sure to specify necessary paths either with a relative or an absolute path properly.

Wizard is creating configuration file 'grafana_reporter.config'.

Specify port on which reporter shall run [8815]: 
Specify grafana host [http://localhost:3000]: https://grafana.test.lab:3000
Testing connection to 'https://grafana.test.lab:3000' _without_ API key...
SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
done.
Grafana could not be accessed at 'https://grafana.test.lab:3000'. Do you want to use an [a]pi key, [r]e-enter url, or [i]gnore and proceed? [aRi]: a
Enter API key: glsa_XXXX
Testing connection to 'https://grafana.test.lab:3000' _with_ API key...
SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
done.
Grafana could not be accessed at 'https://grafana.test.lab:3000'. Do you want to use an [a]pi key, [r]e-enter url, or [i]gnore and proceed? [aRi]: i
Specify path where templates shall be stored [./templates]:

[divinity666]

I see. Though, I don't have a clue, why it resolves to an IP address, the issue might be resolved by adding the --ssl-cert parameter with the path to the SSL certificate. This is meant to support then also self-signed certificates.

You may want to call ruby-grafana-reporter -w --ssl-cert <<your_cert>>, which should then work for your already (also without the manual fix of SSL_VERIFY_NONE). Please note, that you will have to use this parameter from then on in any call of the reporter.

Anyway, I want to mention two things here: 1) In the current release, I recognized that setting a global ssl-cert does not make sense, as for multiple grafana instances in one configuration, it can happen, that multiple SSL certificates have to be configured. That is why, I will remove this command line parameter in the next release and instead allow it to be configured in the wizard/configuration file. 2) I still stick to what I said: I will add an option in the wizard/configuration to allow disabling SSL verification. Stay tuned :-)

[bolausson]

Doesn't seem to work for me. Since it is internal only, I am more than happy with a option to just ignore a SSL cert mismatch.

Trying with the pem file:

14:06:18 [~/github/ruby-grafana-reporter/ssl-cert]
bo@monitoring $ /home/bolausson/.local/share/gem/ruby/3.0.0/bin/ruby-grafana-reporter -w --ssl-cert /home/bolausson/github/ruby-grafana-reporter/ssl-cert/lab.pem 
This wizard will guide you through an initial configuration for the ruby-grafana-reporter. The configuration file will be created in the current folder. Please make sure to specify necessary paths either with a relative or an absolute path properly.

Wizard is creating configuration file 'grafana_reporter.config'.

Specify port on which reporter shall run [8815]: 8816
Specify grafana host [http://localhost:3000]: https://grafana.test.lab:3000
Testing connection to 'https://grafana.test.lab:3000' _without_ API key...
SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
done.
Grafana could not be accessed at 'https://grafana.test.lab:3000'. Do you want to use an [a]pi key, [r]e-enter url, or [i]gnore and proceed? [aRi]: a
Enter API key: glsa_Xj1psrRiKrc8Yy6oqnoeruoK8C8rGYGG_b1c3b3d3
Testing connection to 'https://grafana.test.lab:3000' _with_ API key...
SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
done.
Grafana could not be accessed at 'https://grafana.test.lab:3000'. Do you want to use an [a]pi key, [r]e-enter url, or [i]gnore and proceed? [aRi]:

Trying with the key file (for what it is worth and kind of expected to fail)

14:05:06 [~/github/ruby-grafana-reporter/ssl-cert]
bo@monitoring $ /home/bolausson/.local/share/gem/ruby/3.0.0/bin/ruby-grafana-reporter -w --ssl-cert /home/bolausson/github/ruby-grafana-reporter/ssl-cert/lab.key 
This wizard will guide you through an initial configuration for the ruby-grafana-reporter. The configuration file will be created in the current folder. Please make sure to specify necessary paths either with a relative or an absolute path properly.

Wizard is creating configuration file 'grafana_reporter.config'.

Specify port on which reporter shall run [8815]: 8816
Specify grafana host [http://localhost:3000]: https://grafana.test.lab:3000
Testing connection to 'https://grafana.test.lab:3000' _without_ API key...
X509_LOOKUP_load_file: no certificate or crl found
done.
Grafana could not be accessed at 'https://grafana.test.lab:3000'. Do you want to use an [a]pi key, [r]e-enter url, or [i]gnore and proceed? [aRi]: a
Enter API key: glsa_Xj1psrRiKrc8Yy6oqnoeruoK8C8rGYGG_b1c3b3d3
Testing connection to 'https://grafana.test.lab:3000' _with_ API key...
X509_LOOKUP_load_file: no certificate or crl found
done.
Grafana could not be accessed at 'https://grafana.test.lab:3000'. Do you want to use an [a]pi key, [r]e-enter url, or [i]gnore and proceed? [aRi]:

[divinity666]

Version with new functionality is released. Please check it out and close the issue, if it fits your needs.

[bolausson]

How do I disable the SSL check?

--help doesn't show an option:

$ /home/bolausson/.local/share/gem/ruby/3.0.0/bin/ruby-grafana-reporter -v
0.8.0
$ /home/bolausson/.local/share/gem/ruby/3.0.0/bin/ruby-grafana-reporter --help
Usage: /usr/bin/ruby3.0 /home/bolausson/.local/share/gem/ruby/3.0.0/bin/ruby-grafana-reporter [options]
    -c, --config CONFIG_FILE_NAME    Specify custom configuration file, instead of grafana_reporter.config.
    -r, --register FILE              Register a custom plugin, e.g. your own Datasource implementation
    -d, --debug LEVEL                Specify detail level: FATAL, ERROR, WARN, INFO, DEBUG.
    -o, --output FILE                Output filename if only a single file is rendered
    -s, --set VARIABLE,VALUE         Set a variable value, which will be passed to the rendering
        --test GRAFANA_INSTANCE      test current configuration against given GRAFANA_INSTANCE
    -t, --template TEMPLATE          Render a single ASCIIDOC template to PDF and exit
    -w, --wizard                     Configuration wizard to prepare environment for the reporter.
    -v, --version                    Version information
    -h, --help                       Show this message

I am asking, because SSL still doesn't work for me:

I, [2024-06-09T19:41:31.188981 #229634]  INFO -- : Server listening on port 8815...
I, [2024-06-09T19:42:42.993927 #229634]  INFO -- : 1 report(s) in progress: 0% (running 0 secs)
I, [2024-06-09T19:42:42.994018 #229634]  INFO -- : Report started at 2024-06-09 19:42:42 +0000
I, [2024-06-09T19:42:42.994044 #229634]  INFO -- : You are running ruby-grafana-reporter version 0.8.0.
E, [2024-06-09T19:42:44.691937 #229634] ERROR -- : SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
E, [2024-06-09T19:42:44.695600 #229634] ERROR -- : SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
E, [2024-06-09T19:42:44.695659 #229634] ERROR -- : GrafanaError: The specified dashboard 'fdn1njnosc83ke' does not exist. (Grafana::DashboardDoesNotExistError)
E, [2024-06-09T19:42:44.698963 #229634] ERROR -- : SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
E, [2024-06-09T19:42:44.698995 #229634] ERROR -- : GrafanaError: The specified dashboard 'fdn1njnosc83ke' does not exist. (Grafana::DashboardDoesNotExistError)
E, [2024-06-09T19:42:44.702443 #229634] ERROR -- : SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
E, [2024-06-09T19:42:44.702476 #229634] ERROR -- : GrafanaError: The specified dashboard 'fdn1njnosc83ke' does not exist. (Grafana::DashboardDoesNotExistError)
E, [2024-06-09T19:42:44.714779 #229634] ERROR -- : SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
E, [2024-06-09T19:42:44.714827 #229634] ERROR -- : GrafanaError: The specified dashboard 'fdn1njnosc83ke' does not exist. (Grafana::DashboardDoesNotExistError)
E, [2024-06-09T19:42:44.718025 #229634] ERROR -- : SSL_connect returned=1 errno=0 peeraddr=172.16.0.102:3000 state=error: certificate verify failed (unable to get local issuer certificate)
E, [2024-06-09T19:42:44.718053 #229634] ERROR -- : GrafanaError: The specified dashboard 'fdn1njnosc83ke' does not exist. (Grafana::DashboardDoesNotExistError)
I, [2024-06-09T19:42:44.834953 #229634]  INFO -- : Report creation ended after 2 seconds with status 'finished'

[bolausson]

I see - you have to add "ssl-disable-verify: true" to the configuration file - there is no command line flag:

grafana:
  default:
    host: https://grafana.test.lab:3000
    api_key: XyZ
    ssl-disable-verify: true

Adding it works as expected 👍 Thanks a lot!

[divinity666]

Perfect, thanks for your feedback. @Petorus, feel free to reopen the case, if you still experience problems.