search

peerplays-network / python-peerplays

This is a communications library which allows interface with the Peerplays blockchain directly and without the need for a cli_wallet. It provides a wallet interface and can construct any kind of transactions and properly sign them for broadcast.
MIT License
22 stars 13 forks source link

Why doesn't python-peerplays connect like python-bitshares? #10

Closed ThomasFreedman closed 6 years ago

ThomasFreedman commented 6 years ago

This may be a known issue, but I just tried to use a python-bitshares program as a starting point (template) for peerplays and it cannot connect to an API node, at least not in the same way.

I did install and use python-peerplays earlier to sign the email for PBSA confluence, but that installation is now gone. The docs for python-peerplays look further out of date than for bitshares, again this may be a known issue.

Here is the call that fails and the error:

Lost connection to node during rpcexec(): wss://ppy001.bts-nodes.net/wss (2/-1) Retrying in 2 seconds
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:720)
Lost connection to node during rpcexec(): wss://ppy001.bts-nodes.net/wss (3/-1) Retrying in 4 seconds

Note that the SSL certificates are indeed valid. The websocket URL is an nginx proxy. That nginx server also serves a web page using the same cert and according to firefox the cert is valid, plus the cli_wallet has no problem with that websocket address.

I suspect when fabian updates python-peerplays with the changes he's made to python-bitshares this issue may well go away.

ThomasFreedman commented 6 years ago

I bypassed nginx and the proxy and just used a local non-ssl ws address (ws://127.0.0.1:8090/) and it also fails, but with "[Errno 104] Connection reset by peer". In this case I'm running on the host of a docker container which proxies the witness_node running in the container (which is successfully synced to ppy chain).

The whole point of using python-peerplays was to validate correct port access on the docker host to the node running in the container. Although netstat on the host reports the correct ports are being proxied by docker, there may still be an issue I have yet to discover within the container.

I was using a different API node URL which doesn't involve docker when I got the ssl errors above, so these issues have different contexts, tho the same python-peerplays program . Also, it's possible there are differences between bitshares and peerplays python libs I am not aware of related to this problem, as I mentioned in my first report above.

Here is an excerpt from the results of "docker inspect ":

        "PortBindings": {
            "7887/tcp": [
                {
                    "HostIp": "0.0.0.0",
                    "HostPort": "7887"
                }
            ],
            "8090/tcp": [
                {
                    "HostIp": "127.0.0.1",
                    "HostPort": "8090"
                }
            ],
            "8092/tcp": [
                {
                    "HostIp": "127.0.0.1",
                    "HostPort": "8092"
                }
            ]

I should be able to connect using python-bitshares running on the host. I have a cli_wallet in the container which I can access from the host with:

sudo docker exec -it ppy cli_wallet -H 127.0.0.1:8092 -s ws://127.0.0.1:8090

Here are the import lines from my python script, which I believe are correct:

from peerplays import PeerPlays
from peerplays.account import Account
from peerplays.witness import Witness

and the failure is occurring at:

API = PeerPlays("ws://127.0.0.1:8090/")

From inside the container here is what netstat -tulpn reports:

tcp        0      0 127.0.0.1:8090          0.0.0.0:*               LISTEN      7/witness_node  
tcp        0      0 127.0.0.1:8092          0.0.0.0:*               LISTEN      56/cli_wallet   
tcp        0      0 0.0.0.0:7887            0.0.0.0:*               LISTEN      7/witness_node  
udp        0      0 0.0.0.0:54368           0.0.0.0:*                           7/witness_node
roelandp commented 6 years ago

https://www.ssllabs.com/ssltest/analyze.html?d=ppy001.bts-nodes.net

gives: Grade B. This server's certificate chain is incomplete. Grade capped to B.

roelandp commented 6 years ago

and about the other issue: shouldn't it be cli_wallet -H127.0.0.1:8092 -sws://127.0.0.1:8090

where you remove the [space] between -s and ws ? can you try?

ThomasFreedman commented 6 years ago

"This server's certificate chain is incomplete. Grade capped to B."

Frankly I don't know what that means but it seems unlikely to me it's the reason for this failure. I use LetsEncrypt certs, which have always worked fine for me on BitShares with python-bitshares. Thanks for checking into it tho Roeland, I'll take a look at my letsencrypt logs and certs. I don't use the .pem format so maybe I can improve my config.

I know when my letsencrypt renewals fail by the missing padlock in the browser. Maybe it failed on 1 server but unlikely it failed on 4. Never-the-less, I will look into using the pem format which is just a rollup of other things my letsencrypt update script provides. IIRC the pem is easy to make by a simple concat. I would have assumed however that if it works on bitshares it should work the same way on peerplays, in terms of ssl qualifications are concerned. Maybe not tho.

I use the syntax for cli_wallet as I described above without issue, space after -H & -s so that doesn't matter, works both ways.

roelandp commented 6 years ago

cool. i am not sure this is the reason but I was stumbling upon SSL errors in the same library (used by another project) today, and it appeared to be caused by that... You could try to fetch from another websocket and see if it works so you can eliminate that suggestion?

e.g: wss://node.peerplaysdb.com

On 28 Mar 2018, at 23:29, Thomas Freedman notifications@github.com wrote:

"This server's certificate chain is incomplete. Grade capped to B."

Frankly I don't know what that means but it seems unlikely to me it's the reason for this failure. I use LetsEncrypt certs, which have always worked fine for me on BitShares with python-bitshares. Thanks for checking into it tho Roeland, I'll take a look at my letsencrypt logs and certs. I don't use the .pem format so maybe I can improve my config.

I know when my letsencrypt renewals fail by the missing padlock in the browser. Maybe it failed on 1 server but unlikely it failed on 4. Never-the-less, I will look into using the pem format which is just a rollup of other things my letsencrypt update script provides. IIRC the pem is easy to make by a simple concat. I would have assumed however that if it works on bitshares it should work the same way on peerplays, in terms of ssl qualifications are concerned. Maybe not tho.

I use the syntax for cli_wallet as I described above without issue, space after -H & -s so that doesn't matter, works both ways.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/PBSA/python-peerplays/issues/10#issuecomment-377043451, or mute the thread https://github.com/notifications/unsubscribe-auth/AAPJADHcvt9acuc_9BRnr-mer9XzAduBks5tjAC2gaJpZM4S91nw.

ThomasFreedman commented 6 years ago

OK, will do. Trying that now...

roelandp commented 6 years ago

this is a random one i stumbled upon, might have to do with it:

https://community.letsencrypt.org/t/this-servers-certificate-chain-is-incomplete-grade-capped-to-b-openshift/3665 https://community.letsencrypt.org/t/this-servers-certificate-chain-is-incomplete-grade-capped-to-b-openshift/3665

On 28 Mar 2018, at 23:33, Thomas Freedman notifications@github.com wrote:

OK, will do. Trying that now...

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/PBSA/python-peerplays/issues/10#issuecomment-377044487, or mute the thread https://github.com/notifications/unsubscribe-auth/AAPJAJ7OrIlIInCpd5hIVODlTSzeB6lsks5tjAGQgaJpZM4S91nw.

ThomasFreedman commented 6 years ago

Thx for your help, that indeed resolved the issue. Will look into your random item a bit later.

This was a good find. I have some work to do. I did see an issue from 2015 on letsencrypt forum about this as well.

xeroc commented 6 years ago

Whe you use letsencrypt, make sure to use the fullchain.crt certificate file. Else, the cert chain will be incomplete and cannot be verified.

This broke connection after the update to latest graphenelib which re-enabled cert-checking for security reasons ..

Sorry for the inconvenience.

xeroc commented 6 years ago

Works here now:

➜  python-peerplays git:(develop) ✗ peerplays set node wss://ppy001.bts-nodes.net/wss 
➜  python-peerplays git:(develop) ✗ peerplays -v15 info
2018-04-05 08:41:30,266 - grapheneapi.graphenewsrpc - DEBUG - Trying to connect to node wss://ppy001.bts-nodes.net/wss
2018-04-05 08:41:31,513 - grapheneapi.graphenewsrpc - DEBUG - {"method": "call", "params": [0, "get_chain_properties", []], "jsonrpc": "2.0", "id": 1}
2018-04-05 08:41:31,816 - grapheneapi.graphenewsrpc - DEBUG - "{\"id\":1,\"result\":{\"id\":\"2.11.0\",\"chain_id\":\"6b6b5f0ce7a36d323768e534f3edb41c6d6332a541a95725b98e28d140850134\",\"immutable_parameters\":{\"min_committee_member_count\":9,\"min_witness_count\":11,\"num_special_accounts\":0,\"num_special_assets\":0}}}"
2018-04-05 08:41:31,816 - grapheneapi.graphenewsrpc - DEBUG - {"method": "call", "params": [0, "get_dynamic_global_properties", []], "jsonrpc": "2.0", "id": 2}
2018-04-05 08:41:32,119 - grapheneapi.graphenewsrpc - DEBUG - "{\"id\":2,\"result\":{\"id\":\"2.1.0\",\"random\":\"eef2ecc69b158adc723d2643511b9a9afe757b85\",\"head_block_number\":8644607,\"head_block_id\":\"0083e7ff001de34ab56af35fe84daa0759b446fc\",\"time\":\"2018-04-05T06:41:30\",\"current_witness\":\"1.6.36\",\"next_maintenance_time\":\"2018-04-05T07:00:00\",\"last_budget_time\":\"2018-04-05T06:00:00\",\"witness_budget\":270425,\"accounts_registered_this_interval\":0,\"recently_missed_count\":0,\"current_aslot\":8693441,\"recent_slots_filled\":\"340282366920938463463374607431768211455\",\"dynamic_flags\":0,\"last_irreversible_block_num\":8644595}}"
+-----------------------------------+------------------------------------------+
| Key                               | Value                                    |
+-----------------------------------+------------------------------------------+
| accounts_registered_this_interval | 0                                        |
| current_aslot                     | 8693441                                  |
| current_witness                   | 1.6.36                                   |
| dynamic_flags                     | 0                                        |
| head_block_id                     | 0083e7ff001de34ab56af35fe84daa0759b446fc |
| head_block_number                 | 8644607                                  |
| id                                | 2.1.0                                    |
| last_budget_time                  | 2018-04-05T06:00:00                      |
| last_irreversible_block_num       | 8644595                                  |
| next_maintenance_time             | 2018-04-05T07:00:00                      |
| random                            | eef2ecc69b158adc723d2643511b9a9afe757b85 |
| recent_slots_filled               | 340282366920938463463374607431768211455  |
| recently_missed_count             | 0                                        |
| time                              | 2018-04-05T06:41:30                      |
| witness_budget                    | 270425                                   |
+-----------------------------------+------------------------------------------+

closing