New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't connect to HipChat on OS X #427

Closed
nolanw opened this Issue Jul 27, 2015 · 4 comments

Comments

Projects
None yet
3 participants
@nolanw

nolanw commented Jul 27, 2015

Hello! I'm using err 2.2.1 on OS X 10.10 with the system python (2.7).

After installing and configuring errbot to use HipChat, when I try to start it, the bot never connects and I see these lines logged over and over again:

10:45:00 INFO     sleekxmpp.xmlstream.xmlst Negotiating TLS
10:45:00 INFO     sleekxmpp.xmlstream.xmlst Using SSL version: TLS 1.0
10:45:00 ERROR    sleekxmpp.xmlstream.xmlst Socket Error #185090050: _ssl.c:343: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
10:45:00 INFO     sleekxmpp.xmlstream.xmlst Waiting for </stream:stream> from server
10:45:04 INFO     root                      Disconnect callback, deactivating all the plugins.

until I give up and ^C it.

After adding some logging I see that we're passing in the path /etc/ssl/certs/ca-certificates.crt which does not exist on OS X. I assume the error comes when trying to read this missing file.

Poking around, I see that backends/xmpp.py line 374 is what sets this path. If I comment it out (leaving the default of None) then everything works great! The bot connects to HipChat and responds to commands.

I tried setting XMPP_CA_CERT_FILE to the empty string (i.e. XMPP_CA_CERT_FILE= err.py -H) but I got the same problem as before. Is there some way to specify "no cert file"? Or could we set the default to None on OS X? I don't believe that would be an insecure default, based on this comment in the docs for sleekxmpp.xmlstream.xmlstream:

On Mac OS X, certificates in the system keyring will be consulted, even if they are not in the provided file.
I'm open to any other solution, of course, just suggesting the first things that come to mind.

@gbin

This comment has been minimized.

Member

gbin commented Jul 29, 2015

XMPP_CA_CERT_FILE should be set in the config.py

# XMPP TLS certificate verification. In order to validate offered certificates,
# you must supply a path to a file containing certificate authorities. By
# default, "/etc/ssl/certs/ca-certificates.crt" is used, which on most Linux
# systems holds the default system trusted CA certificates. You might need to
# change this depending on your environment. Setting this to None disables
# certificate validation, which can be useful if you have a self-signed
# certificate for example.
#XMPP_CA_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"
@zoni

This comment has been minimized.

Member

zoni commented Jul 30, 2015

@nolanw I have some thoughts on this (which I think can be tackled as part of #405 in fact) but I don't have the time to go into it in detail now, so I will get back to you on this somewhere over the next coming days.

@zoni

This comment has been minimized.

Member

zoni commented Jul 30, 2015

Addendum: Did you already manage to get it working for the time being? If not, I'll happily help you get it going regardless of changing the underlying code and/or documentation to make this easier in general.

@nolanw

This comment has been minimized.

nolanw commented Jul 30, 2015

@gbin Oh, there it is. How easy was that? Thanks!

@zoni Yep I got it going by uncommenting that line and setting it = None.

My issue is resolved and this can be closed, but in case y'all want to keep it open for further discussion, I'll let you decide whether to close it!

@gbin gbin closed this Jul 31, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment