Opened at 2016-06-09T07:01:41Z
Last modified at 2016-07-03T18:27:46Z
#2791 new defect
Tahoe CLI / SSL certificate
| Reported by: | cedric | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | undecided |
| Component: | code-frontend-cli | Version: | 1.11.0 |
| Keywords: | Cc: | ||
| Launchpad Bug: |
Description (last modified by warner)
Hi,
I'm running a small grid with few nodes. I use Web API through HTTPS with self signed certificates/Internal CA I'm dealing with some troubles when i call tahoe cli (eg: tahoe create-alias....).
"tahoe create-alias test" return error:
Traceback (most recent call last):
File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/runner.py", line 162, in run
rc = runner(sys.argv[1:], install_node_control=install_node_control)
File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/runner.py", line 147, in runner
rc = cli.dispatch[command](so)
File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/cli.py", line 486, in create_alias
rc = tahoe_add_alias.create_alias(options)
File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/tahoe_add_alias.py", line 85, in create_alias
resp = do_http("POST", url)
File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/common_http.py", line 70, in do_http
c.endheaders()
File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
self.send(msg)
File "/usr/lib/python2.7/httplib.py", line 812, in send
self.connect()
File "/usr/lib/python2.7/httplib.py", line 1212, in connect
server_hostname=server_hostname)
File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
_context=self)
File "/usr/lib/python2.7/ssl.py", line 566, in __init__
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 796, in do_handshake
match_hostname(self.getpeercert(), self.server_hostname)
File "/usr/lib/python2.7/ssl.py", line 273, in match_hostname
% (hostname, dnsnames[0]))
CertificateError: hostname '127.0.0.1' doesn't match u'Myhostname'
SSL certificate has CN=Myhostname and an alternative name IP.1=127.0.0.1. CA certificate is available in /etc/ssl/certs/ and c_rehash done.
openssl s_client -connect 127.0.0.1:3456 -CApath /etc/ssl/certs/ return "Ok".
It seem that ssl.py is only try to verify CN == hostname, there is no verification on alternative name.
The only way i've found to get tahoe cli working is to change node.url by replacing https://127.0.0.1:3456 by https://Myhostname:3456
I missed something?
Thanks for your help and thanks for the great job on Tahoe-LAFS!
Change History (1)
comment:1 Changed at 2016-07-03T18:27:46Z by warner
- Component changed from unknown to code-frontend-cli
- Description modified (diff)
Hm, it might be that it isn't paying attention to the "alternative name", or maybe it's just unwilling to accept numeric IP addresses at all (or maybe just 127.0.0.1 .. no CA would issue one like that, so maybe the libraries don't ever expect one like that). You might try setting the alt-name to "localhost", and see if that affects anything.
To be honest I haven't paid close attention to what our CLI tools do with TLS, because I always run them against 127.0.0.1, which doesn't need transport-level security. (if you were running the client/gateway on a remote system, TLS would be critical, of course).
We might want to consider rewriting out CLI tools in terms of the requests library, which is generally considered to be the modern way to do HTTP. I don't know how requests does TLS verification, but I'd want to do whatever they do.
But yes, I suspect that setting your node.url to something which the TLS client is willing to verify is the easiest fix, if setting alt-name to "localhost" doesn't work.