Closed ThomasFreedman closed 6 years ago
I bypassed nginx and the proxy and just used a local non-ssl ws address (ws://127.0.0.1:8090/) and it also fails, but with "[Errno 104] Connection reset by peer". In this case I'm running on the host of a docker container which proxies the witness_node running in the container (which is successfully synced to ppy chain).
The whole point of using python-peerplays was to validate correct port access on the docker host to the node running in the container. Although netstat on the host reports the correct ports are being proxied by docker, there may still be an issue I have yet to discover within the container.
I was using a different API node URL which doesn't involve docker when I got the ssl errors above, so these issues have different contexts, tho the same python-peerplays program . Also, it's possible there are differences between bitshares and peerplays python libs I am not aware of related to this problem, as I mentioned in my first report above.
Here is an excerpt from the results of "docker inspect
"PortBindings": {
"7887/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "7887"
}
],
"8090/tcp": [
{
"HostIp": "127.0.0.1",
"HostPort": "8090"
}
],
"8092/tcp": [
{
"HostIp": "127.0.0.1",
"HostPort": "8092"
}
]
I should be able to connect using python-bitshares running on the host. I have a cli_wallet in the container which I can access from the host with:
sudo docker exec -it ppy cli_wallet -H 127.0.0.1:8092 -s ws://127.0.0.1:8090
Here are the import lines from my python script, which I believe are correct:
from peerplays import PeerPlays
from peerplays.account import Account
from peerplays.witness import Witness
and the failure is occurring at:
API = PeerPlays("ws://127.0.0.1:8090/")
From inside the container here is what netstat -tulpn reports:
tcp 0 0 127.0.0.1:8090 0.0.0.0:* LISTEN 7/witness_node
tcp 0 0 127.0.0.1:8092 0.0.0.0:* LISTEN 56/cli_wallet
tcp 0 0 0.0.0.0:7887 0.0.0.0:* LISTEN 7/witness_node
udp 0 0 0.0.0.0:54368 0.0.0.0:* 7/witness_node
https://www.ssllabs.com/ssltest/analyze.html?d=ppy001.bts-nodes.net
gives: Grade B.
This server's certificate chain is incomplete. Grade capped to B.
and about the other issue: shouldn't it be
cli_wallet -H127.0.0.1:8092 -sws://127.0.0.1:8090
where you remove the [space] between -s and ws ? can you try?
"This server's certificate chain is incomplete. Grade capped to B."
Frankly I don't know what that means but it seems unlikely to me it's the reason for this failure. I use LetsEncrypt certs, which have always worked fine for me on BitShares with python-bitshares. Thanks for checking into it tho Roeland, I'll take a look at my letsencrypt logs and certs. I don't use the .pem format so maybe I can improve my config.
I know when my letsencrypt renewals fail by the missing padlock in the browser. Maybe it failed on 1 server but unlikely it failed on 4. Never-the-less, I will look into using the pem format which is just a rollup of other things my letsencrypt update script provides. IIRC the pem is easy to make by a simple concat. I would have assumed however that if it works on bitshares it should work the same way on peerplays, in terms of ssl qualifications are concerned. Maybe not tho.
I use the syntax for cli_wallet as I described above without issue, space after -H & -s so that doesn't matter, works both ways.
cool. i am not sure this is the reason but I was stumbling upon SSL errors in the same library (used by another project) today, and it appeared to be caused by that... You could try to fetch from another websocket and see if it works so you can eliminate that suggestion?
e.g: wss://node.peerplaysdb.com
On 28 Mar 2018, at 23:29, Thomas Freedman notifications@github.com wrote:
"This server's certificate chain is incomplete. Grade capped to B."
Frankly I don't know what that means but it seems unlikely to me it's the reason for this failure. I use LetsEncrypt certs, which have always worked fine for me on BitShares with python-bitshares. Thanks for checking into it tho Roeland, I'll take a look at my letsencrypt logs and certs. I don't use the .pem format so maybe I can improve my config.
I know when my letsencrypt renewals fail by the missing padlock in the browser. Maybe it failed on 1 server but unlikely it failed on 4. Never-the-less, I will look into using the pem format which is just a rollup of other things my letsencrypt update script provides. IIRC the pem is easy to make by a simple concat. I would have assumed however that if it works on bitshares it should work the same way on peerplays, in terms of ssl qualifications are concerned. Maybe not tho.
I use the syntax for cli_wallet as I described above without issue, space after -H & -s so that doesn't matter, works both ways.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/PBSA/python-peerplays/issues/10#issuecomment-377043451, or mute the thread https://github.com/notifications/unsubscribe-auth/AAPJADHcvt9acuc_9BRnr-mer9XzAduBks5tjAC2gaJpZM4S91nw.
OK, will do. Trying that now...
this is a random one i stumbled upon, might have to do with it:
https://community.letsencrypt.org/t/this-servers-certificate-chain-is-incomplete-grade-capped-to-b-openshift/3665 https://community.letsencrypt.org/t/this-servers-certificate-chain-is-incomplete-grade-capped-to-b-openshift/3665
On 28 Mar 2018, at 23:33, Thomas Freedman notifications@github.com wrote:
OK, will do. Trying that now...
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/PBSA/python-peerplays/issues/10#issuecomment-377044487, or mute the thread https://github.com/notifications/unsubscribe-auth/AAPJAJ7OrIlIInCpd5hIVODlTSzeB6lsks5tjAGQgaJpZM4S91nw.
Thx for your help, that indeed resolved the issue. Will look into your random item a bit later.
This was a good find. I have some work to do. I did see an issue from 2015 on letsencrypt forum about this as well.
Whe you use letsencrypt, make sure to use the fullchain.crt certificate file. Else, the cert chain will be incomplete and cannot be verified.
This broke connection after the update to latest graphenelib which re-enabled cert-checking for security reasons ..
Sorry for the inconvenience.
Works here now:
➜ python-peerplays git:(develop) ✗ peerplays set node wss://ppy001.bts-nodes.net/wss
➜ python-peerplays git:(develop) ✗ peerplays -v15 info
2018-04-05 08:41:30,266 - grapheneapi.graphenewsrpc - DEBUG - Trying to connect to node wss://ppy001.bts-nodes.net/wss
2018-04-05 08:41:31,513 - grapheneapi.graphenewsrpc - DEBUG - {"method": "call", "params": [0, "get_chain_properties", []], "jsonrpc": "2.0", "id": 1}
2018-04-05 08:41:31,816 - grapheneapi.graphenewsrpc - DEBUG - "{\"id\":1,\"result\":{\"id\":\"2.11.0\",\"chain_id\":\"6b6b5f0ce7a36d323768e534f3edb41c6d6332a541a95725b98e28d140850134\",\"immutable_parameters\":{\"min_committee_member_count\":9,\"min_witness_count\":11,\"num_special_accounts\":0,\"num_special_assets\":0}}}"
2018-04-05 08:41:31,816 - grapheneapi.graphenewsrpc - DEBUG - {"method": "call", "params": [0, "get_dynamic_global_properties", []], "jsonrpc": "2.0", "id": 2}
2018-04-05 08:41:32,119 - grapheneapi.graphenewsrpc - DEBUG - "{\"id\":2,\"result\":{\"id\":\"2.1.0\",\"random\":\"eef2ecc69b158adc723d2643511b9a9afe757b85\",\"head_block_number\":8644607,\"head_block_id\":\"0083e7ff001de34ab56af35fe84daa0759b446fc\",\"time\":\"2018-04-05T06:41:30\",\"current_witness\":\"1.6.36\",\"next_maintenance_time\":\"2018-04-05T07:00:00\",\"last_budget_time\":\"2018-04-05T06:00:00\",\"witness_budget\":270425,\"accounts_registered_this_interval\":0,\"recently_missed_count\":0,\"current_aslot\":8693441,\"recent_slots_filled\":\"340282366920938463463374607431768211455\",\"dynamic_flags\":0,\"last_irreversible_block_num\":8644595}}"
+-----------------------------------+------------------------------------------+
| Key | Value |
+-----------------------------------+------------------------------------------+
| accounts_registered_this_interval | 0 |
| current_aslot | 8693441 |
| current_witness | 1.6.36 |
| dynamic_flags | 0 |
| head_block_id | 0083e7ff001de34ab56af35fe84daa0759b446fc |
| head_block_number | 8644607 |
| id | 2.1.0 |
| last_budget_time | 2018-04-05T06:00:00 |
| last_irreversible_block_num | 8644595 |
| next_maintenance_time | 2018-04-05T07:00:00 |
| random | eef2ecc69b158adc723d2643511b9a9afe757b85 |
| recent_slots_filled | 340282366920938463463374607431768211455 |
| recently_missed_count | 0 |
| time | 2018-04-05T06:41:30 |
| witness_budget | 270425 |
+-----------------------------------+------------------------------------------+
closing
This may be a known issue, but I just tried to use a python-bitshares program as a starting point (template) for peerplays and it cannot connect to an API node, at least not in the same way.
I did install and use python-peerplays earlier to sign the email for PBSA confluence, but that installation is now gone. The docs for python-peerplays look further out of date than for bitshares, again this may be a known issue.
Here is the call that fails and the error:
Note that the SSL certificates are indeed valid. The websocket URL is an nginx proxy. That nginx server also serves a web page using the same cert and according to firefox the cert is valid, plus the cli_wallet has no problem with that websocket address.
I suspect when fabian updates python-peerplays with the changes he's made to python-bitshares this issue may well go away.