Business is working on upgrading chef client throughout the orgs from 16 to 17 (17.9.26 specifically). Within our cookbooks we perform a chef http_request to test the availability of the resource within Test Kitchen/elsewhere and validate the ssl certificate. With the client upgrade we started to see a SSL verification failure indicating the CA-bundle that we're dropping out there cannot be validated. Pretty weird since nothing changed in the source for this except that we're now on client version 17 instead of 16. If I go out to the node that is built via test kitchen (we deploy test instances to AWS ec2 instances) and attempt to curl localhost (should be about the same thing as the chef http_request I guess) it will fail, but then if I specify the ca-bundle that Chef should be using by default the curl returns correct response.
`
[root#ip-REDACTED ~]# curl https://localhost:9200
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
[root#ip-REDACTED ~]# curl https://localhost:9200 --cacert /opt/chef/embedded/ssl/certs/cacert.pem
{
"name" : "ip-REDACTED",
"cluster_name" : "REDACTED-unit-green",
"clusEDACTEDter_uuid" : "R",
"version" : {
"number" : "6.4.3",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "fe40335",
"build_date" : "2018-10-30T23:17:19.084789Z",
"build_snapshot" : false,
"lucene_version" : "7.4.0",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
[root#ip-REDACTED ~]#
`
I can't really provide all of my cookbooks/recipes, but according to: https://docs.chef.io/chef_client_security/ the location of that ca-bundle file is correct and as mentioned and shown in the above snip it validates fine when specified. It also ran through kitchen correctly before switching client versions. Really just out here hoping that someone might have experienced similar and knows what they did to fix it.
Thanks in advance, and if I've been unclear about anything just let me know in the comments, I will try to clarify.
EDIT: Forgot to include the actual exception that comes from Chef test kitchen run:
`
================================================================================
Error executing action `put` on resource 'http_request[elasticsearch_license]'
================================================================================
OpenSSL::SSL::SSLError
----------------------
SSL Error connecting to https://localhost:9200/_xpack/license - SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
Resource Declaration:
---------------------
# In /tmp/kitchen/cache/cookbooks/csg_stathub_linux_643/recipes/register_license.rb
31: http_request 'elasticsearch_license' do
32: url "#{node['REDACTED']['es']['endpoint']['local_api']}/_xpack/license"
33: action :nothing
34: message lazy { ::File.read("/etc/elasticsearch/#{license_file}") }
35: provider Chef::Provider::HttpRequest
36: retries 10
37: retry_delay 5
38: headers({ 'Authorization' => "Basic #{elastic_userpass64}", 'Content-Type' => 'application/json' })
39: subscribes :put, 'http_request[elasticsearch_cluster_health]', :immediately
40: only_if { ::File.exist?("/etc/elasticsearch/#{license_file}") }
41: only_if { elasticsearch_service_running? }
42: end
43:
`
Related
I am working on a rust networking application. And I download a package from gcloud storage (using an https://... URL). I will eventually need the capabilities CAP_NET_ADMIN and CAP_NET_RAW.
This is my rust program:
pub fn download_runner_binary(bin_dir: PathBuf) -> Result<()> {
let uri = "https://example.com/foo.tar";
let response = reqwest::blocking::get(uri)?;
let tar_path = bin_dir.join("foo.tar");
let tar_path2 = tar_path.clone();
let mut dest = File::create(tar_path)?;
io::copy(&mut Cursor::new(&mut response.bytes()?), &mut dest)?;
// now seek the beginning
let dest_f = File::open(tar_path2)?;
// now extract the files here
let mut archive = Archive::new(dest_f);
archive.unpack(bin_dir)?;
Ok(())
}
It compiles fine, and I can run it just fine. Subsequently I do:
sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' ./target/debug/foo
and when I getcap:
getcap ./target/debug/foo
./target/debug/foo = cap_net_admin,cap_net_raw+eip
At this stage, when I run my program:
(base) ➜ wallet git:(s/permissions) ✗ ./target/debug/foo init
Initializing job runner
Error: NetworkError: `error sending request for url (https://example.com/): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)`
Caused by:
0: error sending request for url (https://example.com/foo.tar): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
1: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
2: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
3: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:
And I can't pull things down from any SSL url. Once I remove these capabilities with setcap -r ./target/debug/foo, it is all good.
I then wrote a small python script:
#!/usr/bin/env python
import sys
import requests
resp = requests.get('https://example.com/foo.tar')
print(resp.text)
Setting the same capabilities on this script and running ./test.py completes with no issues.
Is reqwest doing something weird? Is there some issue with certificates? Is it some issue with my local SSL setup?
Any help would be appreciated.
The microstack.openstack project recently enabled/required tls authentication as outlined here. I am working on deploying an openstack cluster to microstack using a terraform example here. As a result of the change, I receive an unknown signed cert error when trying to create an openstack network client data source.
data "openstack_networking_network_v2" "terraform" {
name = "${var.pool}"
}
The error I get when calling terraform plan:
Error: Error creating OpenStack networking client: Post "https://XXX.XXX.XXX.132:5000/v3/auth/tokens": OpenStack connection error, retries exhausted. Aborting. Last error was: x509: certificate signed by unknown authority
with data.openstack_networking_network_v2.terraform,
on datasources.tf line 1, in data "openstack_networking_network_v2" "terraform":
1: data "openstack_networking_network_v2" "terraform" {
Is there a way to ignore the certificate error, so that I can successfully use terraform to create the openstack cluster? I have tried updating the generate-self-signed parameter, but I haven't seen any change in behavior:
sudo snap set microstack config.tls.generate-self-signed=false
I think insecure provider parameter is what you are looking for:
(Optional) Trust self-signed SSL certificates. If omitted, the OS_INSECURE environment variable is used.
Try:
provider "openstack" {
insecure = true
}
Disclaimer: I haven't tried that.
The problem was that I did not source the admin-openrc.sh file that I had downloaded from the horizon web page:
$ source admin-openrc.sh
I faced the same problem, if it could help, here my contribution :
sudo snap get microstack config.tls
Key Value
config.tls.cacert-path /var/snap/microstack/common/etc/ssl/certs/cacert.pem
config.tls.cert-path /var/snap/microstack/common/etc/ssl/certs/cert.pem
config.tls.compute {...}
config.tls.generate-self-signed true
config.tls.key-path /var/snap/microstack/common/etc/ssl/private/key.pem
In terraform directory, do :
cat /var/snap/microstack/common/etc/ssl/certs/cacert.pem : copy paste -> cacert.pem
cat /var/snap/microstack/common/etc/ssl/certs/cert.pem : copy/paste -> cert.pem
cat /var/snap/microstack/common/etc/ssl/private/key.pem : copy/past -> key.pem
And create a file in your terraform directory main.tf :
provider "openstack" {
user_name = "admin"
tenant_name = "admin"
password = "pass" (get with sudo snap get microstack config.credentials.keystone-password)
auth_url = "https://host_ip:5000/v3"
#insecure = true (uncomment & comment cacert_file + key line)
cacert_file = "/terraform_dir/cacert.pem"
#cert = "/terraform_dir/cert.pem" (if needed)
key = "/terraform_dir/private.pem"
region = "microstack" (or regionOne)
}
To finish terraform plan/apply
I'm trying to publish message to a Tibco Queue on a SSL Tibco Server through JMeter 5.4.1 using JMS Point-to-Point Logic Controller.
JMS Point To Point Controller Config
But I'm getting the following error message:
2021-06-13 12:25:46,278 ERROR o.a.j.p.j.s.JMSSampler: Not permitted:
Failed to connect to any server at: ssl://[server-name]:7352,
ssl://[server-name]:7352 [Error: Failed to connect via SSL to
[ssl://[server-name]:7352]: Received fatal alert:
protocol_version: url that returned this exception =
SSL://[server-name]:7352 ]
javax.naming.AuthenticationException: Not permitted: Failed to connect
to any server at: ssl://[server-name]:7352,
ssl://[server-name]:7352 [Error: Failed to connect via SSL to
[ssl://[server-name]:7352]: Received fatal alert:
protocol_version: url that returned this exception =
SSL://[server-name] ] at
com.tibco.tibjms.naming.TibjmsContext.lookup(TibjmsContext.java:670)
~[tibjms.jar:8.0.0] at
com.tibco.tibjms.naming.TibjmsContext.lookup(TibjmsContext.java:491)
~[tibjms.jar:8.0.0] at
javax.naming.InitialContext.lookup(InitialContext.java:417)
~[?:1.8.0_291] at
org.apache.jmeter.protocol.jms.sampler.JMSSampler.threadStarted(JMSSampler.java:638)
[ApacheJMeter_jms.jar:5.4.1] at
org.apache.jmeter.threads.JMeterThread$ThreadListenerTraverser.addNode(JMeterThread.java:784)
[ApacheJMeter_core.jar:5.4.1] at
org.apache.jorphan.collections.HashTree.traverseInto(HashTree.java:993)
[jorphan.jar:5.4.1] at
org.apache.jorphan.collections.HashTree.traverse(HashTree.java:976)
[jorphan.jar:5.4.1] at
org.apache.jmeter.threads.JMeterThread.threadStarted(JMeterThread.java:752)
[ApacheJMeter_core.jar:5.4.1] at
org.apache.jmeter.threads.JMeterThread.initRun(JMeterThread.java:740)
[ApacheJMeter_core.jar:5.4.1] at
org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:252)
[ApacheJMeter_core.jar:5.4.1]
I tried:
openssl s_client -connect [server-name]:7352
It gave the following output:
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
So added the following line in jmeter.properties file.
https.default.protocol=TLSv1.2
Also commented jdk.tls.disabledAlgorithms from java.security file for JDK (I'm using jdk1.8.0_291)
# jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
# DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
# include jdk.disabled.namedCurves
But still I'm getting the same error. Someone please help.
I think you're using the wrong property (not only the wrong property but the wrong place as well), you're setting default protocol for HTTPS, while you need to set it for TLS, i.e. add the next line to system.properties file
jdk.tls.client.protocols=TLSv1.2
JMeter restart will be required to apply this property.
If it won't help or you will get different errors - consider adding the next line there as well:
javax.net.debug=all
and then check jmeter.log file and stdout for any suspicious entries
More information:
Configuring JMeter
Apache JMeter Properties Customization Guide
I resolved it by using the latest tibjms.jar in the lib directory in JMeter as the Tibco server was upgraded some hours before I raised this issue.
I need some help. I'm integrating getstream.io into my laravel application (v5.1), I'm stuck with this error:
cURL error 60: SSL certificate problem: unable to get local issuer
certificate
This is my code:
use GetStream\Stream\Client;
public function index()
{
$client = new Client('rrzp7mz8htgn', '8cgs94jg2z5da2h4q2an8q6q5vktrp8y8w7rsft3zndf63c8y9n59g2h2qvtdhqq');
$ericFeed = $client->feed('user', 'eric');
$data = [
"actor"=>"eric",
"verb"=>"like",
"object"=>"3",
"tweet"=>"Hello world"
];
$ericFeed->addActivity($data);
}
I followed the instructions below from packalyst
Add the get-stream into your composer:
"require": {
"get-stream/stream-laravel": "~2.1"
},
then run composer update
I also added the provider and the aliases
'providers' => array(
'GetStream\StreamLaravel\StreamLaravelServiceProvider',
...
),
'aliases' => array(
'FeedManager' => 'GetStream\StreamLaravel\Facades\FeedManager',
...
),
I run:
php artisan vendor:publish --provider="GetStream\StreamLaravel\StreamLaravelServiceProvider"
I emailed already getstream.io, but no response yet. I'll be updated this post when I received some answers from them.
I also checked this post from laracast, but there's no answer.
https://laracasts.com/discuss/channels/general-discussion/activity-feeds-with-getstreamio?page=0
Getstream.io replied to my email and helped me, Here's the solution,
the SSL error message it’s usually related to using old certificate
key chains with CURL. This is unfortunately quite of a common issue
with CURL and SSL, I suggest you to try the solution suggested in this
thread:
Paypal Access - SSL certificate: unable to get local issuer certificate
and this is what i did:
Downloaded cacert.pem from the above link at curl.haxx.se/ca/cacert.pem and save it to c:/wamp/bin/php/php5.5.12/cert/
Click my wamp icon, navigate to PHP > php.ini
Added the following line and click save.
curl.cainfo=c:/wamp/bin/php/php5.5.12/cert/cacert.pem
Restart wamp and that's it. it worked
Hope this helps other developers using getstream.io. Credits to Tommaso of getstream.io.
I am trying to establish a connection using the SOAP gem, called Savon. I can't make sense from the documentation on the website, I have this URL: "https://www.example.com/loginWeb/rvu.aspx", and this credentials username: "user", password: "pass".
My code is this (rails console):
client = Savon::Client.new("https://www.example.com/loginWeb/rvu.aspx")
client.wsse.credentials 'user', 'pass'
I get this: (event trying with "digest")
HTTPI executes HTTP GET using the net_http adapter
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I downloaded SoapUI and I get this error when I try to connect to the URL:
Error loading [http://www.example.com/loginWeb/rvu.aspx?WSDL]: org.apache.xmlbeans.XmlException: org.apache.xmlbeans.XmlException: error: Unexpected character encountered (lex state 3): '&
So what is going on ? Any help?
I suppose it's the same issue as here: you're trying to access a site with self-signed SSL certificate.
One way to fix it is to prevent Savon checking it:
client = Savon::Client.new("https://www.example.com/loginWeb/rvu.aspx")
client.http.auth.ssl.verify_mode = :none
client.wsse.credentials 'user', 'pass'