Alerta (https and keycloak)

[edta6]

I have problem with alerta na keyloack

I install alerta in this tutorial

https://devopstales.github.io/monitoring/alerta-on-centos7/

if i have basic auth work fine.

For keycloak:

alertad.conf

AUTH_PROVIDER = 'keycloak'
KEYCLOAK_URL = ******
KEYCLOAK_REALM = ******
OAUTH2_CLIENT_ID = 'alerta-ui'
OAUTH2_CLIENT_SECRET =********

Log for uwsgi, no see cert?
`VACUUM: unix socket /var/run/alerta/uwsgi.sock removed.
*** Starting uWSGI 2.0.19.1 (64bit) on [Tue Nov 17 10:23:45 2020] ***
compiled with version: 8.3.1 20191121 (Red Hat 8.3.1-5) on 28 October 2020 14:05:07
os: Linux-4.18.0-193.19.1.el8_2.x86_64 #1 SMP Wed Aug 26 15:29:02 EDT 2020
nodename:
machine: x86_64
clock source: unix
detected number of CPU cores: 1
current working directory: /
detected binary path: /root/.local/bin/uwsgi
!!! no internal routing support, rebuild with pcre support !!!
setgid() to 988
set additional group 1001 (alerta)
setuid() to 992
chdir() to /var/www
your processes number limit is 14970
your memory page size is 4096 bytes
detected max file descriptor number: 1024
lock engine: pthread robust mutexes
thunder lock: disabled (you can enable it with --thunder-lock)
uwsgi socket 0 bound to UNIX address /var/run/alerta/uwsgi.sock fd 7
Python version: 3.6.8 (default, Dec 5 2019, 15:45:45) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
*** Python threads support is disabled. You can enable it with --enable-threads ***
Python main interpreter initialized at 0xee2ec0
your server socket listen backlog is limited to 100 connections
your mercy for graceful operations on workers is 60 seconds
mapped 437424 bytes (427 KB) for 5 cores
*** Operational MODE: preforking ***
mounting wsgi.py on /api
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 600, in urlopen
chunked=chunked)
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 343, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 839, in validate_conn
conn.connect()
File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 344, in connect
ssl_context=context)
File "/usr/lib/python3.6/site-packages/urllib3/util/ssl.py", line 354, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
_context=self, _session=session)
File "/usr/lib64/python3.6/ssl.py", line 776, in init
self.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 638, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3.6/site-packages/urllib3/util/retry.py", line 399, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(): (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/alerta/auth/oidc.py", line 34, in get_oidc_configuration
r = requests.get(discovery_doc_url, timeout=2)
File "/usr/lib/python3.6/site-packages/requests/api.py", line 75, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/api.py", line 60, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(): Max retries exceeded with url: (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/alerta/auth/init.py", line 27, in register
oidc_config, _ = oidc.get_oidc_configuration(app)
File "/usr/local/lib/python3.6/site-packages/alerta/auth/oidc.py", line 37, in get_oidc_configuration
raise ApiError('Could not get OpenID configuration from well known URL: {}'.format(str(e)), 503)
alerta.exceptions.ApiError: Could not get OpenID configuration from well known URL: HTTPSConnectionPool(host='keycloak.cn.in.pekao.com.pl', port=443): Max retries exceeded with url: /auth/realms/pekao/.well-known/openid-configuration (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "wsgi.py", line 3, in
app = create_app()
File "/usr/local/lib/python3.6/site-packages/alerta/app.py", line 84, in create_app
app.register_blueprint(auth_blueprint)
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 98, in wrapper_func
return f(self, *args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1168, in register_blueprint
blueprint.register(self, options, first_registration)
File "/usr/local/lib/python3.6/site-packages/alerta/auth/init.py", line 31, in register
raise RuntimeError(e)
RuntimeError: Could not get OpenID configuration from well known URL: HTTPSConnectionPool(): Max retries exceeded with url: (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))
VACUUM: unix socket /var/run/alerta/uwsgi.sock removed.
`

[satterly]

If you are self-hosting keycloak you will need to add your SSL certs to your Alerta docker container as an additional layer.

[edta6]

I don't use docker. Install alerta on linux serwer.

I add cert to nginx and i have https.

Recompile uwsgi in open ssl and add cert in this documentation:
https://uwsgi-docs.readthedocs.io/en/latest/HTTPS.html

Or is that a problem in this file wsgi.py

from alerta import create_app

app = create_app()

because error is on mount app

`[uwsgi]
chdir = /var/www
mount = /api=wsgi.py
callable = app
manage-script-name = true
env = BASE_URL=/api

master = true
processes = 5
#logger = syslog:alertad
logto = /tmp/%n.log

socket = /var/run/alerta/uwsgi.sock
chmod-socket = 664
uid = nginx
gid = nginx
vacuum = true

die-on-term = true

shared-socket = 0.0.0.0:8443
https = =0,/root/alerta/alerta.crt,/root/alerta/alerta.key
http-to = /var/run/alerta/uwsgi.sock
`

[satterly]

This error suggests there is a problem with your cert on the Keycloak server...

alerta.exceptions.ApiError: Could not get OpenID configuration from well known URL: HTTPSConnectionPool(host='keycloak.cn.in.pekao.com.pl', port=443): Max retries exceeded with url: /auth/realms/pekao/.well-known/openid-configuration (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))

[edta6]

But other appliaction work fine with keyloack - Grafana, Zabbix itp.

If I create simple python script with requests

`import requests

x = requests.get('', verify='')
print(x.status_code)`

Get 200.

[satterly]

You realise that adding verify='' as a request option skips SSL verification, right?

[edta6]

verify=path to cert.

i no add verfiy=False

[satterly]

$ python                                                                 ✔
Python 3.9.0 (default, Oct 27 2020, 14:15:17)
[Clang 12.0.0 (clang-1200.0.32.21)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> bool('')
False
>>>

Requests can also ignore verifying the SSL certificate if you set verify to False:

requests.get('https://kennethreitz.org', verify=False)
<Response [200]>

See https://requests.readthedocs.io/en/master/user/advanced/

[edta6]

on this site see topic - SSL Cert Verification

I use this.

requests.get('https://github.com', verify='/path/to/certfile')

[satterly]

That's not what you put in the comment above. The example you provided earlier had an empty string as the verify parameter value which equates to False, which means you skipped SSL verification. If you want to continue this conversation please use Slack. GitHub issues are are for bugs and enhancement requests. Thanks. https://slack.alerta.dev