-
Notifications
You must be signed in to change notification settings - Fork 274
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Impossible to fetch Fingerbank account information #3579
Comments
Just as a side note, you did leak your key since in the email notification I got, it was there in the last line. Next, it seems that you're using a proxy. The collector supports the use of a proxy if set using environment variables (HTTP_PROXY, HTTPS_PROXY) but will not support man in the middle SSL decryption. |
Yes, i'm use proxy. and This is wrong proxy definition? |
Is your proxy performing man in the middle SSL decryption ? If so, its not compatible with the collector. Also, your environment variables should be defined on the OS level so that all processes have access to it. Not only for wget. If you're unable to do that, then you'll have to create the following unit file in
|
I'll have it as an action item to automatically set that environment variable for the collector based on the Fingerbank configuration in PacketFence |
Now messages changed, but always error to connect api.fingerbank.ogf and |
Aug 30 14:42:56 CZSTD-PF80-P1 fingerbank_httpd.admin: httpd.admin(1810) ERROR: [mac:unknown] Error while fetching account information (fingerbank::API::account_info) |
I took some time to get everything tested and there was a bug in the proxy implementation of the fingerbank perl library. I've pushed new packages for CentOS 7, try updating the fingerbank packages and try again:
Then, for the settings, put:
|
Thank you |
Hi, I'm having the same problems with proxy settings. Can anyone tell me what was the solution. I'm using the latests packages in CentoOS 7 I think the problems in my install are: And if add fingerbank dns to /etc/hosts I also get : |
Hello @gticomunica, Check #3699 (comment) and try to update fingerbank package. |
Hi, I updated to latest devel version and have the same problem: The message I get in packetfence web gui is: "Impossible to fetch Fingerbank account information: 501 Protocol scheme 'connect' is not supported" Squid logs show: |
Is your proxy terminating SSL ? Also, this issue is unrelated, in this issue, the proxy wasn't respected. In yours, the proxy is respected but your proxy isn't able to connect to Fingerbank |
The company web proxy it's an old microsoft ISA server (it does not terminate ssl). But for this issue I installed a temporary debian squid proxy (I can surf the web just fine), with no restrictions , just clean install , all allowed . I also removed the /etc/hosts entries And the message in squid is : 1540394471.528 0 SERVER_IP TCP_DENIED/403 3423 CONNECT SERVER_IP:2379 - HIER_NONE/- text/html And packetfence log: pfqueue: pfqueue(2508) ERROR: [mac:unknown] Error while communicating with the Fingerbank collector. 501 Protocol scheme 'connect' is not supported (pf::fingerbank::endpoint_attributes) If I changed to other proxy , packetfence gives the same massage: pfqueue: pfqueue(2508) ERROR: [mac:unknown] Error while communicating with the Fingerbank collector. 501 Protocol scheme 'connect' is not supported (pf::fingerbank::endpoint_attributes) |
Please provide: rpm -qa | grep fingerbankrpm -qa | grep packetfence |
rpm -qa | grep packetfence rpm -qa | grep fingerbank I also commented in squid : Still same error, |
Try downgrading to the stable version of the fingerbank library:
|
Hi, I tried downgrading and I get the same error: pfqueue: pfqueue(2508) ERROR: [mac:unknown] Error while communicating with the Fingerbank collector. 501 Protocol scheme 'connect' is not supported (pf::fingerbank::endpoint_attributes) |
Why I'm seeing attempts to connect to PacketFenceIP:2379 in the proxy server ? those shouln't go through the proxy . Isn't that part of the problem? |
I think this is because we currently have to set the proxy for the whole OS for Fingerbank (the HTTP_PROXY variable) so that means everything uses that. Port 2379 is for etcd so that means your etcd requests are going through your proxy. Although this isn't a problem for Fingerbank, it might cause little glitches for pfdhcp but nothing major. When you were running fingerbank-4.1.2 as @nqb suggested, did you restart all the PacketFence services after upgrading ? |
Hi, when I tried 4.1.2 , I restarted fingerbank and just in case the whole server because is not in production yet (until I figure out fingerbank issue). I have set HTTP_PROXY in /etc/environment : export http_proxy=http://proxy_ip:3128 I also tried unsetting those variables and the problem continues . |
This are the logs: /usr/local/pf/logs/fingerbank.log Oct 25 13:30:29 servername fingerbank_httpd.admin: httpd.admin(2265) INFO: [mac:unknown] Database /usr/local/fingerb ank/db/fingerbank_Local.db was changed or handles weren't initialized. Creating handle. (fingerbank::DB::SQLite::build_handle) /usr/local/pf/logs/packetfence.log Oct 25 13:31:19 servername pfqueue: pfqueue(2813) ERROR: [mac:unknown] Error while communicating with the Fingerbank collector. 501 Protocol scheme 'connect' is not supported (pf::fingerbank::endpoint_attributes) |
I'll likely have to dig into it and replicate this in lab. |
Try applying the following:
And then restart all services |
Hello errors changed now, and it shows an empy account information on the web gui , the errors are as follows: /usr/local/pf/logs/packetfence.log Oct 25 15:27:07 lnx-nac pfqueue: pfqueue(2655) ERROR: [mac:unknown] Error while communicating with the Fingerbank collector. 400 could not load https::connect protocol support: Can't locate LWP/Protocol/https/connect.pm in @inc (@inc contains: /usr/local/pf/lib /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2558) line 2. (pf::fingerbank::endpoint_attributes) /usr/local/pf/logs/fingerbank.log Oct 25 15:27:04 lnx-nac fingerbank_httpd.admin: httpd.admin(2223) ERROR: [mac:unknown] Error while fetching account information (fingerbank::API::account_info) Thanks for taking your time for this problem. |
I think I finally got it right Try:
Then restart and retry |
Wow , I think we are almost there! -I saw 4 request on my api.fingerbank.org profile. Now I'm seeing connect attempts to 127.0.0.1:4723 coming through the proxy. This are the logs: Squid: 1540569250.719 0 10.1.1.131 TCP_MISS/503 0 CONNECT 127.0.0.1:4723 - HIER_NONE/- - /usr/local/pf/logs/packetfence.log: Oct 26 12:58:02 lnx-nac pfqueue: pfqueue(2590) ERROR: [mac:unknown] Unable to fetch query arguments for Fingerbank query. Aborting. (pf::fingerbank::process) /usr/local/pf/logs/fingerbank.log: No errors just this warning |
Try this:
And then as usual, restart and retry |
Hi, I think it kinda works. How can I check fingerbank works correctly ? I now randomly (only sometimes) see this connect attempt in the proxy: 1540570932.013 131386 10.1.1.131 TCP_MISS/200 58 CONNECT 10.1.1.131:2379 - HIER_DIRECT/10.1.1.131 - This error shows randomly too: And this warning: Oct 26 14:15:15 lnx-nac /usr/local/fingerbank/collector/fingerbank-collector[2029]: t=2018-10-26T14:15:15-0300 lvl=warn msg="Couldn't find a peer that has more uptime than this collector. Will not sync from anybody." pid=2029 How can I check fingerbank works correctly ? |
Well aside from the occasional error and random attempts in the proxy to connect to 10.1.1.131:2379 , I think it's working ok. I'm doing first steps in packetfence configuration. Are these fixes going to be in the next versions ? Thanks for all your help |
The fixes will be in 8.2 As for the occasional hits on port 2379, this is etcd which will be removed in 8.2 so it will be "fixed" that way |
Just confirming... Finished setting up packefence, and tested it with a new laptop and fingerbank works perfectly ! |
Hello,
I can't load Fingerbank content.
Message from PacketFence Web-UI:
Impossible to fetch Fingerbank account information: Can't connect to api.fingerbank.org:443 Connection refused at /usr/share/perl5/vendor_perl/LWP/Protocol/http.pm line 41.
fingerbank.log:
Aug 30 13:44:58 CZSTD-PF80-P1 /usr/local/fingerbank/collector/fingerbank-collector[1777]: t=2018-08-30T13:44:58+0200 lvl=eror msg="ERROR: Wasn't able to fetch the destination hosts from the Fingerbank API: Get https://api-ss.fingerbank.org:443/api/v2/download/destination-hosts?key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: dial tcp 35.196.72.95:443: getsockopt: connection refused" pid=1777
manually wget:
wget https://api-ss.fingerbank.org:443/api/v2/download/destination-hosts?key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--2018-08-30 13:49:02-- https://api-ss.fingerbank.org/api/v2/download/destination-hosts?key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Connecting to 10.13.1.81:8181... connected.
ERROR: cannot verify api-ss.fingerbank.org's certificate, issued by ‘/C=CA/ST=Quebec/L=Montreal/O=Inverse Inc./CN=api-ss.fingerbank.org’:
Self-signed certificate encountered.
To connect to api-ss.fingerbank.org insecurely, use `--no-check-certificate'.
The text was updated successfully, but these errors were encountered: