Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using "--no-verify" still getting "CERTIFICATE_VERIFY_FAILED" error #175

Open
gheibia opened this issue Jan 9, 2019 · 7 comments
Open

Using "--no-verify" still getting "CERTIFICATE_VERIFY_FAILED" error #175

gheibia opened this issue Jan 9, 2019 · 7 comments
Assignees
@Christina-Kang

Comments

@gheibia
Copy link

gheibia commented Jan 9, 2019

  • Using Version 7.0.2 of CLI on Mac (pip3 show sfctl)
  • Cluster version: 6.4.622.9590 hosted on Azure

Using a self signed client cert, the following command fails with:

Error occurred in request., SSLError: HTTPSConnectionPool(host='****.westus2.cloudapp.azure.com', port=19080): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1045)')))

Command:

sfctl cluster select --endpoint https://****.westus2.cloudapp.azure.com:19080 --key /Users/me/Downloads/sfc.key --cert /Users/me/Downloads/sfc.crt --no-verify

I was under the impression that --no-verify will skip the certificate verification step.
@gheibia gheibia mentioned this issue Jan 9, 2019
Closed
@prasadker
Copy link

prasadker commented Jan 10, 2019
edited

@samedder @Christina-Kang

@gheibia
Copy link
Author

gheibia commented Jan 10, 2019
edited

To add a bit more information here:

The same cert works well with Powershell (on Windows) and directly OpenSsl (on both Mac and Windows):

Connect-ServiceFabricCluster -ConnectionEndpoint "****.westus2.cloudapp.azure.com:19000" -X509Credential -ServerCertThumbprint "**************************" -FindType Fin
dByThumbprint -FindValue "***************************"

Connects successfully (the first Thumbprint is the cluster's cert and the 2nd one is the my client cert which is added to the cluster as an admin and also has "keyCertSig" bit set on it). Obviously, I had to add the cert to a local store.

$ openssl s_client -cert /Users/me/Downloads/sfc.pem  -connect ****.westus2.cloudapp.azure.com:19080

Successfully opens a session and I can send a HTTP request.

@gheibia
Copy link
Author

gheibia commented Jan 10, 2019

I have also tried "sfctl" on a windows machine knowing there are concerns with the version of openssl shipped with Mac. Same problem.

@Christina-Kang Christina-Kang self-assigned this Jan 11, 2019
@Christina-Kang
Copy link
Contributor

@gheibia Thanks for reporting the issue!

Does sfctl cluster select also fail when using the pem file rather than the key and crt combo?

Verification should not be happening. Can you share the full error message from the command, with --debug, blocking out any sensitive information? You can also email me at bikang@microsoft.com with the full error message instead. Thank you!

@gheibia
Copy link
Author

gheibia commented Jan 12, 2019

@Christina-Kang yes, it fails with PEM files, as well. I'll email you the log directly.

@gheibia
Copy link
Author

gheibia commented Jan 15, 2019

For anyone who lands here for an answer, as a workaround, one could call Service Fabric APIs directly through, say, cUrl:

See https://stackoverflow.com/questions/54089465/add-custom-header-to-all-responses-from-traefik-on-azures-service-fabric

@sayers
Copy link

sayers commented Oct 3, 2023

Any plans for this to be fixed? Issue still present in version 11.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Christina-Kang Christina-Kang

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sayers @Christina-Kang @gheibia @prasadker