search

nautobot / nautobot-app-device-onboarding

Device Onboarding Plugin for Nautobot
https://docs.nautobot.com/projects/device-onboarding/en/latest/
Other
37 stars 25 forks source link

Onboarding EOS device with Python 3.10 fails #55

Open aj-cruz opened 1 year ago

aj-cruz commented 1 year ago

Environment

Steps to Reproduce

  1. In Nautobot create arista_eos platform with napalm driver eos
  2. Configure an EOS device with a management IP and enable eAPI using default https port: 
    
interface Management1
ip address 192.168.254.10/24

management api http-commands no shutdown

3. Create and run a Device Onboarding job:
Site: mysite
IP Address: 192.168.254.10
Port: 443
Platform: arista_eos

### Expected Behavior
Device added to Nautobot

### Observed Behavior
Job fails with error: 
```Socket error during eAPI connection: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)```

### Additional details
This appears to be related to [https://github.com/arista-eosplus/pyeapi/issues/211](https://github.com/arista-eosplus/pyeapi/issues/211)
Which is fixed in: [https://github.com/arista-eosplus/pyeapi/issues/222](https://github.com/arista-eosplus/pyeapi/issues/222)

I confirmed the workaround in the first link resolves the issue. Specifically , I did this on my Arista switch:

management security ssl profile SSL_PROFILE tls versions 1.2 cipher-list ECDHE-RSA-AES256-GCM-SHA384 certificate capi.pem key capikey.pem trust certificate ARISTA_SIGNING_CA.crt trust certificate ARISTA_ROOT_CA.crt

management api http-commands protocol https ssl profile SSL_PROFILE no shutdown

jvanderaa commented 1 year ago

Also related to https://github.com/arista-eosplus/pyeapi/issues/246

scetron commented 1 year ago

Thanks for the report, @aj-cruz.

jlixfeld commented 1 year ago 
management security
   ssl profile SSL_PROFILE
      tls versions 1.2
      cipher-list ECDHE-RSA-AES256-GCM-SHA384
      certificate capi.pem key capikey.pem
      trust certificate ARISTA_SIGNING_CA.crt
      trust certificate ARISTA_ROOT_CA.crt

management api http-commands
   protocol https ssl profile SSL_PROFILE
   no shutdown

For anyone who gets this far in trying to implement this workaround, in case it's not obvious, you need to also create the certs:

security pki key generate rsa 4096 capikey.pem
security pki certificate generate self-signed capi.pem key capikey.pem validity 3650 parameters common-name YOUR_SWITCH_HOSTNAME

credit: https://github.com/arista-eosplus/pyeapi/issues/211#issuecomment-1141443390