jbemmel
commented
2 years ago Hello, and thank you for your comment.
By design, the SR Linux gNMI server does not allow insecure connections, except locally via a Unix socket. That is why the 'insecure' connection code is commented out
skip_verify works for Go gRPC clients like gnmic, but for Python gRPC the option is not yet implemented.
Therefore, to get a working secure connection each client must specify as a minimum:
- the correct hostname presented in the server certificate (as 'target_name')
- the root CA used to sign the server's certificate
Note that the client certificate/key are optional
optional_args = {
"gnmi_port": 57400,
"jsonrpc_port": 80,
"target_name": "leaf1.spine-leaf-evpn.io",
#"target_name": "172.20.20.9",
"tls_ca": "/home/jeroen/srlinux/srl-self-organizing/labs/spine-leaf-evpn/clab-spine-leaf-evpn/ca/root/root-ca.pem",
#"tls_cert":"/root/gnmic_certs/srl_certs/clientCert.crt",
#"tls_key": "/root/gnmic_certs/srl_certs/clientKey.pem",
#"skip_verify": True,
#"insecure": False
"encoding": "JSON_IETF"
}Hope this clarifies
So it seems the variable skip_verify variable is redundant since the insecure connection part of the code is commented out. https://github.com/napalm-automation-community/napalm-srlinux/blob/main/napalm_srl/srl.py#L2502
Any specific reason for that ?