search

shinken-solutions / shinken

Flexible and scalable monitoring framework
http://www.shinken-monitoring.org
GNU Affero General Public License v3.0
1.13k stars 336 forks source link

SSL with cherrypy backend #1318

Open gracinet opened 10 years ago

gracinet commented 10 years ago

Hi, I'm giving the cherrypy backend a try for a poller daemon but could not get it to work over SSL. Actually, it just looks as if it ignored the use_ssl flag.

As I side note, my primary motivation for this backend here is not performance, but IPv6 support. Nevertheless, the problem is identical on IPv4.

$ curl -4 https://poller.shinken.example:7771/
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
$ curl -4 http://poller.shinken.example:7771/ 
OK

If I switch back the http_backend setting to wsgiref, I get the expected behaviour:

$ curl -4 https://poller.shinken.example:7771/
OK                                                                             
$ curl -4 http://poller.shinken.example:7771/ 
curl: (56) Recv failure: Connection reset by peer

So in particular, it's not a side effect of wrong certificates paths and the like.

I peered a bit in the code, at first sight the use_ssl flag seems to be passed to that backend, but didn't dig that much.

Versions Shinken: 2.0.3, through system-wide pip installation cherrypy: 3.6.0, also with sudo pip bottle: I believe it to be bundled with Shinken (tried also with system-wide install of 0.12.7 by pip, behaviour is identical)

Here's the complete daemon INI file (pretty standard, I believe)

[daemon]

#-- Global Configuration
#user=shinken         ; if not set then by default it's the current user.
#group=shinken        ; if not set then by default it's the current group.
# Set to 0 if you want to make this daemon NOT run
daemon_enabled=1

#-- Path Configuration
# The daemon will chdir into the directory workdir when launched
# paths variables values, if not absolute paths, are relative to workdir.
# using default values for following config variables value:
workdir = /var/run/shinken
logdir  = /var/log/shinken
pidfile=%(workdir)s/pollerd.pid

#-- Network configuration
host=0.0.0.0
port=7771
http_backend=cherrypy
# idontcareaboutsecurity=0

#-- SSL configuration --
use_ssl=1
# WARNING : Put full paths for certs
ca_cert=/a/correct/path
server_cert=/a/correct/path
server_key=/a/correct/path
hard_ssl_name_check=1

#-- Local log management --
# Enabled by default to ease troubleshooting
use_local_log=1
local_log=%(logdir)s/pollerd.log
# accepted log level values= DEBUG,INFO,WARNING,ERROR,CRITICAL
log_level=WARNING

modules_dir=/var/lib/shinken/modules
user=shinken
group=shinken

Thanks !

naparuba commented 10 years ago

Can you give a try wit the openssl -client call? (so we will only try the ssl layer)

On Sun, Sep 14, 2014 at 2:15 PM, Georges Racinet notifications@github.com wrote:

Hi, I'm giving the cherrypy backend a try for a poller daemon but could not get it to work over SSL. Actually, it just looks as if it ignored the use_ssl flag.

As I side note, my primary motivation for this backend here is not performance, but IPv6 support. Nevertheless, the problem is identical on IPv4.

$ curl -4 https://poller.shinken.example:7771/ curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol $ curl -4 http://poller.shinken.example:7771/ OK

If I switch back the http_backend setting to wsgiref, I get the expected behaviour:

$ curl -4 https://poller.shinken.example:7771/ OK $ curl -4 http://poller.shinken.example:7771/ curl: (56) Recv failure: Connection reset by peer

So in particular, it's not a side effect of wrong certificates paths and the like.

I peered a bit in the code, at first sight the use_ssl flag seems to be passed to that backend, but didn't dig that much

Versions Shinken: 2.0.3, through system-wide pip installation cherrypy: 3.6.0 bottle: I believe it to be bundled with Shinken (tried also with system-wide install of 0.12.7 by pip, behaviour is indentical

Here's the complete daemon INI file (pretty standard, I believe)

[daemon]

-- Global Configuration

user=shinken ; if not set then by default it's the current user.

group=shinken ; if not set then by default it's the current group.

Set to 0 if you want to make this daemon NOT run

daemon_enabled=1

-- Path Configuration

The daemon will chdir into the directory workdir when launched

paths variables values, if not absolute paths, are relative to workdir.

using default values for following config variables value:

workdir = /var/run/shinken logdir = /var/log/shinken pidfile=%(workdir)s/pollerd.pid

-- Network configuration

host=0.0.0.0 port=7771 http_backend=cherrypy

idontcareaboutsecurity=0

-- SSL configuration --

use_ssl=1

WARNING : Put full paths for certs

ca_cert=/a/correct/path server_cert=/a/correct/path server_key=/a/correct/path hard_ssl_name_check=1

-- Local log management --

Enabled by default to ease troubleshooting

use_local_log=1 local_log=%(logdir)s/pollerd.log

accepted log level values= DEBUG,INFO,WARNING,ERROR,CRITICAL

log_level=WARNING

modules_dir=/var/lib/shinken/modules user=shinken group=shinken

Thanks !

— Reply to this email directly or view it on GitHub https://github.com/naparuba/shinken/issues/1318.

ornoone commented 6 years ago

I just got the same error, and it seem that the version I used (3.5) was broken with ssl.

I followed the warning telling me that cherrypy was a good options and did the apt-get install python-cherrypy3, but this version is the 3.5 broken.

for me, the fix was to uninstall the 3.5 and install a newer one with pip 

sudo apt-get uninstall python-cherrypy3
sudo pip install cherrypy # CherryPy==11.0.0