pdumais
commented
2 years ago Can you list the output of a verbose curl command towards the vsd? Then, can you try the same curl command and provide the trusted cert to curl?
Closed SarodwatShome closed 2 years ago
pdumais
commented
2 years ago Can you list the output of a verbose curl command towards the vsd? Then, can you try the same curl command and provide the trusted cert to curl?
SarodwatShome
commented
2 years ago OK Patrick. Will try & let you know.
Cheers,
Sarodwat Shome Location : BT Greenside | Tech Mahindra Ltd | 3rd Floor Tower C | DLF II SEZ CCU 146 IND Contact : @.**@.> | @.**@.> |+91 - 9007 056 730
"Reason is a harmonising, controlling force rather than a creative one." - Bertrand Russellhttps://www.brainyquote.com/authors/bertrand-russell-quotes
From: Patrick Dumais @.> Sent: 27 April 2022 02:56 To: nuagenetworks/vspk-java @.> Cc: Shome,S,Sarodwat,TNGC C @.>; Author @.> Subject: Re: [nuagenetworks/vspk-java] Getting authentication error while establishing VSD session through vspk rel 20.10.7 or .8 (Issue #48)
You don't often get email from @.**@.>. Learn why this is importanthttp://aka.ms/LearnAboutSenderIdentification
Can you list the output of a verbose curl command towards the vsd? Then, can you try the same curl command and provide the trusted cert to curl?
- Reply to this email directly, view it on GitHubhttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnuagenetworks%2Fvspk-java%2Fissues%2F48%23issuecomment-1110264676&data=05%7C01%7Csarodwat.shome%40bt.com%7C4d419cf51f654b0eca1208da27cb6088%7Ca7f356889c004d5eba4129f146377ab0%7C0%7C0%7C637866051696663517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=tqplpDmO5oidAouJSm6ccOQCi3A3NpKuyC1EFj5iqp0%3D&reserved=0, or unsubscribehttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAYSAZFTQFWNICGJK7BT3ESDVHBNOLANCNFSM5UMWI3EQ&data=05%7C01%7Csarodwat.shome%40bt.com%7C4d419cf51f654b0eca1208da27cb6088%7Ca7f356889c004d5eba4129f146377ab0%7C0%7C0%7C637866051696820028%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7vw3WAz2HwIiABAsbRsO3PuwcyV3YuRgY4Tz4v%2Bm2HM%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.**@.>>
SarodwatShome
commented
2 years ago ++ Anjan, Moinak from the team.
Thanks for checking the reported bug at the portal.
Hi Patrick,
curl -v --request GET --url https://10.213.92.5:8443/nuage/api/v5_0/me --header 'authorization: Basic YXBwMDc0MDlyb2JvdGljOmJ0bXBsczEyMw==' --header 'x-nuage-organization: csp' -insecure
keytool -importcert -alias vsd_public_cert -file ./ca_cer.pem -keystore keystore.jks
The output of the above command is recorded inside the attached file certificate_load.log.
Applied the Me query again with the created keystore.
curl -v --request GET --url https://10.213.92.5:8443/nuage/api/v5_0/me --header 'authorization: Basic YXBwMDc0MDlyb2JvdGljOmJ0bXBsczEyMw==' --header 'x-nuage-organization: csp' --insecure -Djavax.net.ssl.keyStore=./keystore.jks
Cheers,
Sarodwat Shome Location : BT Greenside | Tech Mahindra Ltd | 3rd Floor Tower C | DLF II SEZ CCU 146 IND Contact : @.**@.> | @.**@.> |+91 - 9007 056 730
"Reason is a harmonising, controlling force rather than a creative one." - Bertrand Russellhttps://www.brainyquote.com/authors/bertrand-russell-quotes
From: Shome,S,Sarodwat,TNGC C Sent: 27 April 2022 12:25 To: nuagenetworks/vspk-java @.>; nuagenetworks/vspk-java @.> Cc: Author @.***> Subject: RE: [nuagenetworks/vspk-java] Getting authentication error while establishing VSD session through vspk rel 20.10.7 or .8 (Issue #48)
OK Patrick. Will try & let you know.
Cheers,
Sarodwat Shome Location : BT Greenside | Tech Mahindra Ltd | 3rd Floor Tower C | DLF II SEZ CCU 146 IND Contact : @.**@.> | @.**@.> |+91 - 9007 056 730
"Reason is a harmonising, controlling force rather than a creative one." - Bertrand Russellhttps://www.brainyquote.com/authors/bertrand-russell-quotes
From: Patrick Dumais @.**@.>> Sent: 27 April 2022 02:56 To: nuagenetworks/vspk-java @.**@.>> Cc: Shome,S,Sarodwat,TNGC C @.**@.>>; Author @.**@.>> Subject: Re: [nuagenetworks/vspk-java] Getting authentication error while establishing VSD session through vspk rel 20.10.7 or .8 (Issue #48)
You don't often get email from @.**@.>. Learn why this is importanthttp://aka.ms/LearnAboutSenderIdentification
Can you list the output of a verbose curl command towards the vsd? Then, can you try the same curl command and provide the trusted cert to curl?
- Reply to this email directly, view it on GitHubhttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnuagenetworks%2Fvspk-java%2Fissues%2F48%23issuecomment-1110264676&data=05%7C01%7Csarodwat.shome%40bt.com%7C4d419cf51f654b0eca1208da27cb6088%7Ca7f356889c004d5eba4129f146377ab0%7C0%7C0%7C637866051696663517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=tqplpDmO5oidAouJSm6ccOQCi3A3NpKuyC1EFj5iqp0%3D&reserved=0, or unsubscribehttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAYSAZFTQFWNICGJK7BT3ESDVHBNOLANCNFSM5UMWI3EQ&data=05%7C01%7Csarodwat.shome%40bt.com%7C4d419cf51f654b0eca1208da27cb6088%7Ca7f356889c004d5eba4129f146377ab0%7C0%7C0%7C637866051696820028%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7vw3WAz2HwIiABAsbRsO3PuwcyV3YuRgY4Tz4v%2Bm2HM%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.**@.>>
pdumais
commented
2 years ago We can't see attached files if you reply by email. Please use the github issue track to respond
SarodwatShome
commented
2 years ago Apologies Patrick, Please find attached the zipped archive containing all the mentioned files. attachments_archived.zip
pdumais
commented
2 years ago There are a few things I don't quite understand.
SarodwatShome
commented
2 years ago Apologies for the issues you faced Patrick, this time I have used v6 API, not passed any JAVA option into curl & have used curl without option --insecure. Please find below the response of the query. We don't have access to the server where VSD is installed & have to query the query the VSD from remote servers through a proxy that connects to VSD cluster. The error below completely tells us about the issue now. Please let us know how to generate a compatible SSL certificate so that we can connect from remote clients as the whole setup demands us to do that. There are multiple applications accessing the VSD cluster so, they all of us have to use this proxy to connect to the cluster. There's no way we can directly land on it.
Regarding the certificate, we generally open the lab using a browser from a remote VM & the certificate was downloaded from the browser window after the lab's login page appeared but it seems we went the wrong way to extract this certificate.
[nrpnpm04@blt07409019 ~]$ curl -v --request GET --url https://10.213.92.5:8443/nuage/api/v6/me --header 'authorization: Basic YXBwMDc0MDlyb2JvdGljOmJ0bXBsczEyMw==' --header 'x-nuage-organization: csp'
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. [nrpnpm04@blt07409019 ~]$
SarodwatShome
commented
2 years ago This is the result, what we got after associating the downloaded certificate with the curl command using option --cacert
[nrpnpm04@blt07409019 ~]$ curl -v --request GET --url https://10.213.92.5:8443/nuage/api/v6/me --header 'authorization: Basic YXBwMDc0MDlyb2JvdGljOmJ0bXBsczEyMw==' --header 'x-nuage-organization: csp' --cacert ca_cer.pem
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
pdumais
commented
2 years ago So if it doesn't work with curl, it is a good indicator that the issue is not related to VSPK. Please make sure the hostname you use matches the CN or is part of the SANs.
Will close this ticket since it does not point to any issues in VSPK.
### Please note this error is thrown while using the updated vspk-java & bambou-java jars on a legacy code base where vspk 5, 4 or earlier release were used but we never faced such error or exception.
Using vspk rel 20.10.7 or .8 & bambou 2.0.31 jars in the library, I am getting this authentication error while establishing VSDSession through constructor mentioned below.
Code snippet to start VSD session:
VSDSession session = new VSDSession(sessionUser,sessionPassword,sessionOrg,sessionURL); session.start();
We have already used a keystore with the certificate mentioned below loaded into it & mentioned the same within JAVA command line arguments, for example, _-Djavax.net.ssl.keyStore=/wlsdomains/btwnpmt01/jksKeystore/keystore.jks
Certificate loaded into the keystore:
-----BEGIN CERTIFICATE----- MIIEhzCCA2+gAwIBAgIILbYtMnHfNQQwDQYJKoZIhvcNAQELBQAwEDEOMAwGA1UE AwwFVlNQQ0EwHhcNMjEwMTA2MTQzOTQ4WhcNMjMwMTA3MTQzOTQ4WjBQMUAwPgYD VQQDDDdidC1pbmZzZHdhbi1zMDAwMDAxMS12c2QwMWMtc2h5LWFwLmFnaWxlLmJ0 aWNnbG9iYWwubmV0MQwwCgYDVQQKDANjc3AwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCKg59x9yRKpa7zJt8ZvvRLrasLvsJbIsTOYOY3/gHVS8w0+5+H hTALj9ge8jgUAXaJRkxnvgth8Z2qEZ7gFBvCuBziDKHMaud4tzAJOcTvGWPEqB5E nm7IWxOgB8ZFbYU5dZHaeO/Mk6I9JKoh6aYYFebtCx2naeoc4F8OwxBoGvDypBUE 17xUVW3V0Dyfbj1LOHBxlo8P1VdtZ7FzzXmxf+eDpBN4/Z5X5ALGhxOls7rdO4RP 7qdtP4GwY5vD+dvj4vN2Fd6ohWR+EpGFY+iOTCMf0qrVPBkXGfaiR+/T5Gl55sgW QPGVCjUmqKjiwtO2kHAZY2J7EP67iXpOSJUdAgMBAAGjggGjMIIBnzAMBgNVHRMB Af8EAjAAMB8GA1UdIwQYMBaAFOY/XjMZnI50dH92GTN+4ygYfeiPMGMGCCsGAQUF BwEBBFcwVTBTBggrBgEFBQcwAYZHaHR0cDovL2FnY3R4bXBwMTEuYWdpbGUuYnRp Y2dsb2JhbC5uZXQ6NzA4MC9lamJjYS9wdWJsaWN3ZWIvc3RhdHVzL29jc3AwKgYD VR0RBCMwIYIfYWdjdHhtcHAxMS5hZ2lsZS5idGljZ2xvYmFsLm5ldDAdBgNVHSUE FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgY4GA1UdHwSBhjCBgzCBgKBooGaGZGh0 dHA6Ly9hZ2N0eG1wcDExLmFnaWxlLmJ0aWNnbG9iYWwubmV0OjcwODAvZWpiY2Ev cHVibGljd2ViL3dlYmRpc3QvY2VydGRpc3Q/Y21kPWNybCZpc3N1ZXI9Q049VlNQ Q0GiFKQSMBAxDjAMBgNVBAMMBVZTUENBMB0GA1UdDgQWBBSSV2htDqh8GAenbLTG BAlybIrNdzAOBgNVHQ8BAf8EBAMCBeAwDQYJKoZIhvcNAQELBQADggEBACjf+zpk k+f+2QJcbpXU2kld3iRVTm6EXApIHUYi0SUcbzLZk/GoXMDBUmDBFiMQkx67RkCh ezK3Or3ClhwUE+LAtoF2r9sbTvyLmjkfdtTjihktNq5TD5QgWXr796I0AFYMrUrC QIBFxb4SIHri+NDAM636LAo6CEM0UjNgvnQQTV2AI0WKlasra9E+N2f69RSvVHL3 jjG1tVmsGycFuNsEaup6V0JY94kRdDF/NehPHcwSBDfx3+qP/JYzSif0tjfY49Ra cUDUeY5eQWpnv4ThAo6/y/bUReCtRLi6u14VEAX9Pw5EhoSuZkWze+8bRyftU9mK +ykddB5SJAgPLZ0= -----END CERTIFICATE-----
Exception stack trace:
2022-04-21 12:05:02,985 ERROR [pool-4-thread-1] [] - AGILECONNECT_DAY0WEEKLY_V6::Exception is: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://10.213.92.5:8443/nuage/api/v6/me": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:607) at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:557) at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:475) at net.nuagenetworks.bambou.service.RestClientService.sendRequest(RestClientService.java:155) at net.nuagenetworks.bambou.service.RestClientService.sendRequest(RestClientService.java:111) at net.nuagenetworks.bambou.RestSession.sendRequestWithRetry(RestSession.java:423) at net.nuagenetworks.bambou.RestObject.fetch(RestObject.java:313) at net.nuagenetworks.bambou.RestSession.fetch(RestSession.java:286) at net.nuagenetworks.bambou.RestSession.authenticate(RestSession.java:467) at net.nuagenetworks.bambou.RestSession.start(RestSession.java:181) at com.bt.npm.agileconnect.inventory.dayzero.version6.InventoryBuildVersion6.processInventory(InventoryBuildVersion6.java:189) at com.bt.npm.agileconnect.inventory.dayzero.version6.InventoryBuildVersion6.run(InventoryBuildVersion6.java:98) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:91) at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48) at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53) at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:596) ... 14 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ... 37 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 43 more