How do I disable cert checking in st2client?


(Dustin) #1

Trying to use the python library st2client for some simple tests calling a locally running instance of stackstorm in a container on https://localhost.

from flask import Flask, request, jsonify
import pathlib 
import os
import json
from st2client.client import Client
from st2client import models

app = Flask(__name__)

@app.route('/')
def hello_world():
    client = Client(base_url='https://localhost', api_key='037339ce65194c19b5c61205c0f86466', debug=True)
    rules = client.rules.get_all()

Results in:

$ flask run
 * Serving Flask app "app.py"
 * Environment: production
   WARNING: Do not use the development server in a production environment.
   Use a production WSGI server instead.
 * Debug mode: off
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
[2018-12-14 15:20:32,145] ERROR in app: Exception on / [GET]
Traceback (most recent call last):
  File "~/Projects/stackstorm/stackstorm.api/stackstorm_env/lib/python3.6/site-packages/requests/packages/urllib3/contrib/pyopenssl.py", line 438, in wrap_socket
    cnx.do_handshake()
  File "~/Projects/stackstorm/stackstorm.api/stackstorm_env/lib/python3.6/site-packages/OpenSSL/SSL.py", line 1907, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "~/Projects/stackstorm/stackstorm.api/stackstorm_env/lib/python3.6/site-packages/OpenSSL/SSL.py", line 1632, in _raise_ssl_error
    raise SysCallError(-1, "Unexpected EOF")
  OpenSSL.SSL.SysCallError: (-1, 'Unexpected EOF')

I set my stackstorm config without fixing the error.

[general]
base_url = https://localhost
api_version = v1
silence_ssl_warnings = True

Is there a way to ignore certificates?


(Lindsay Hill) #2

I’m not sure that it’s getting to SSL validation.

My read of the st2client code is that defaults to not validating certificates unless you specify cacert. See st2/httpclient.py at master · StackStorm/st2 · GitHub

def add_ssl_verify_to_kwargs(func):
    def decorate(*args, **kwargs):
        if isinstance(args[0], HTTPClient) and 'https' in getattr(args[0], 'root', ''):
            cacert = getattr(args[0], 'cacert', None)
            kwargs['verify'] = cacert if cacert is not None else False
        return func(*args, **kwargs)
    return decorate

But your message “Unexpected EOF” implies something different to me. I think something else is going on. I would check your connectivity from that container to wherever nginx is running.


(Tomaz Muraus) #3

You should be able to pass cacert=False argument to the “Client” class constructor (either False or None should work for the value.

EDIT: @lhill I believe it will try to use a default requests CA cert bundle if cacert argument / ST2_CACERT environment variable is not explicitly specified.


(Dustin) #4

Tried both cacert=False and cacert=None and get same error.


(Tomaz Muraus) #5

Looking at the error message, it might be related to a server SSL misconfiguration (e.g. ("bad handshake: SysCallError(-1, 'Unexpected EOF')",) despite using verify=False · Issue #4244 · requests/requests · GitHub).

How did you install StackStorm? On what Linux distribution? Could a
lso be related to an environment, e.g. out of date openssl version.

EDIT: It looks like you are using Python 3.6. Did you try with Python 2.7 yet?

We did actually announce initial preview of StackStorm v2.0 running on Ubuntu Bionic under Python 3, but it’s still experimental.


(Dustin) #6

I have SS running from the stackstorm/stackstorm:latest distro on hub.docker.com. I’ll try with Python 2.7. Thanks.


(Lindsay Hill) #7

My guess is that it’s something related to your Docker setup. My guess is that “https://localhost” (relative to wherever your flask container is running) is not mapping through to port 443 on the ST2 container.


(Dustin) #8

I think networking is ok. ST2 is a container, and I am running python project from host. I can hit in browser, or use postman (but both of those allow me to disable ssl).

I tried again with python 2.7.10, slightly different but same error.

$ flask run
 * Serving Flask app "app.py"
 * Environment: production
   WARNING: Do not use the development server in a production environment.
   Use a production WSGI server instead.
 * Debug mode: off
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
[2018-12-14 17:26:41,599] ERROR in app: Exception on / [GET]
Traceback (most recent call last):
  File "~/Projects/stackstorm/stackstorm.api/venv/lib/python2.7/site-packages/flask/app.py", line 2292, in wsgi_app
    response = self.full_dispatch_request()
  File "~/Projects/stackstorm/stackstorm.api/venv/lib/python2.7/site-packages/flask/app.py", line 1815, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "~/Projects/stackstorm/stackstorm.api/venv/lib/python2.7/site-packages/flask/app.py", line 1718, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "~/Projects/stackstorm/stackstorm.api/venv/lib/python2.7/site-packages/flask/app.py", line 1813, in full_dispatch_request
    rv = self.dispatch_request()
  File "~/Projects/stackstorm/stackstorm.api/venv/lib/python2.7/site-packages/flask/app.py", line 1799, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "~/Projects/stackstorm/stackstorm.api/app.py", line 15, in hello_world
    rules = client.rules.get_all()
  File "~/Projects/stackstorm/stackstorm.api/venv/lib/python2.7/site-packages/st2client/models/core.py", line 40, in decorate
    return func(*args, **kwargs)
  File "~/Projects/stackstorm/stackstorm.api/venv/lib/python2.7/site-packages/st2client/models/core.py", line 191, in get_all
    response = self.client.get(url=url, params=params, **kwargs)
  File "~/Projects/stackstorm/stackstorm.api/venv/lib/python2.7/site-packages/st2client/utils/httpclient.py", line 33, in decorate
    return func(*args, **kwargs)
  File "~/Projects/stackstorm/stackstorm.api/venv/lib/python2.7/site-packages/st2client/utils/httpclient.py", line 51, in decorate
    return func(*args, **kwargs)
  File "~/Projects/stackstorm/stackstorm.api/venv/lib/python2.7/site-packages/st2client/utils/httpclient.py", line 88, in get
    response = requests.get(self.root + url, **kwargs)
  File "~/Projects/stackstorm/stackstorm.api/venv/lib/python2.7/site-packages/requests/api.py", line 72, in get
    return request('get', url, params=params, **kwargs)
  File "~/Projects/stackstorm/stackstorm.api/venv/lib/python2.7/site-packages/requests/api.py", line 58, in request
    return session.request(method=method, url=url, **kwargs)
  File "~/Projects/stackstorm/stackstorm.api/venv/lib/python2.7/site-packages/requests/sessions.py", line 518, in request
    resp = self.send(prep, **send_kwargs)
  File "~/Projects/stackstorm/stackstorm.api/venv/lib/python2.7/site-packages/requests/sessions.py", line 639, in send
    r = adapter.send(request, **kwargs)
  File "~/Projects/stackstorm/stackstorm.api/venv/lib/python2.7/site-packages/requests/adapters.py", line 512, in send
    raise SSLError(e, request=request)
SSLError: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)

I’ll try wireshark next. Thanks for all the pointers.