Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL certificate unauthenticated #34

Closed
zchatt opened this issue Feb 4, 2022 · 5 comments
Closed

SSL certificate unauthenticated #34

zchatt opened this issue Feb 4, 2022 · 5 comments

Comments

@zchatt
Copy link

zchatt commented Feb 4, 2022
edited

Hi ONT,

I am having an issue supplying th SSL certificate to start_protocol.py. I have set the `MINKNOW_TRUSTED_CA' environment variable within start_protocol.py to the certificate used by the MinKNOW app.

os.environ['MINKNOW_TRUSTED_CA'] = "/Applications/MinKNOW.app/Contents/Resources/conf/rpc-certs/ca.crt"

However when running start_protocol.py I receive the following error;

    grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
        status = StatusCode.UNAUTHENTICATED
        details = "Bad metadata key"
        debug_error_string = "{"created":"@1643932207.912947000","description":"Error received from peer ipv6:[::1]:8001","file":"src/core/lib/surface/call.cc","file_line":1075,"grpc_message":"Bad metadata key","grpc_status":16}"

I am able to use the minion through the MiKNOW app which would be using the same certificate so I am unsure the reason for the discrepancy. I am running minknow_api 4.5.0 and MinKNOW 21.11.18. Any help/ insights would be greatly appreciated
@0x55555555
Copy link
Contributor

Hi @zchatt , how are you trying to connect?

The error you link doesnt look like an SSL error, but instead an authentication issue.

Are you connecting to a local device, or a remote one - do you have a more complete example demonstrating your issue?

  • George

@zchatt
Copy link
Author

zchatt commented Feb 7, 2022

Hi George,

Thank you for getting back to me. I first tried to use start_protocol.py to connect to a local minion device attached to my Macbook. However I received the following error trying to access MinKNOW's CA SSL.

# Run
./start_protocol.py --host localhost --flow-cell-id MN19078 --sample-id "my_sample" --experiment-group "my_group" --experiment-duration 24 --kit SQK-LSK109 --fasta

# Error message
Traceback (most recent call last):
  File "/Users/zacc/python_venv/ndecode/lib/python3.8/site-packages/minknow_api/__init__.py", line 190, in grpc_credentials
    return grpc_credentials.cached_credentials
AttributeError: 'function' object has no attribute 'cached_credentials'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/zacc/github_repo/nucleotrace_api/start_protocol.py", line 635, in <module>
    main()
  File "/Users/zacc/github_repo/nucleotrace_api/start_protocol.py", line 538, in main
    manager = Manager(host=args.host, port=args.port, use_tls=not args.no_tls)
  File "/Users/zacc/python_venv/ndecode/lib/python3.8/site-packages/minknow_api/manager.py", line 99, in __init__
    super(Manager, self).__init__(
  File "/Users/zacc/python_venv/ndecode/lib/python3.8/site-packages/minknow_api/manager.py", line 37, in __init__
    minknow_api.grpc_credentials(),
  File "/Users/zacc/python_venv/ndecode/lib/python3.8/site-packages/minknow_api/__init__.py", line 195, in grpc_credentials
    raise MissingMinknowSSlCertError(
minknow_api.MissingMinknowSSlCertError: Couldn't find a valid path to MinKNOW's CA SSL certificate to initiate a secure connection

Notations within the minknow_api/init.py indicated that I should specify the location of the MinKNOW apps certificate. Therefore I added the location to "os.environ['MINKNOW_TRUSTED_CA']" as indicated above at the beginning of the start_protocol.py which appeared to identify the ceritifcate i.e. MissingMinknowSSlCertError was gone, however this generated the Unauthenticated error;


  # Error message
   File "/Users/zacc/github_repo/nucleotrace_api/start_protocol.py", line 630, in <module>
      main()
    File "/Users/zacc/github_repo/nucleotrace_api/start_protocol.py", line 537, in main
      add_position_info(experiment_specs, manager)
    File "/Users/zacc/github_repo/nucleotrace_api/start_protocol.py", line 461, in add_position_info
      add_position_to_specs(experiment_specs, position, position_key_type)
    File "/Users/zacc/github_repo/nucleotrace_api/start_protocol.py", line 427, in add_position_to_specs
      position_connection = position.connect()
    File "/Users/zacc/python_venv/ndecode/lib/python3.8/site-packages/minknow_api/manager.py", line 347, in connect
      return minknow_api.Connection(host=self.host, port=port, use_tls=use_tls)
    File "/Users/zacc/python_venv/ndecode/lib/python3.8/site-packages/minknow_api/__init__.py", line 299, in __init__
      self.instance.get_version_info()
    File "/Users/zacc/python_venv/ndecode/lib/python3.8/site-packages/minknow_api/instance_service.py", line 93, in get_version_info
      return run_with_retry(self._stub.get_version_info,
    File "/Users/zacc/python_venv/ndecode/lib/python3.8/site-packages/minknow_api/instance_service.py", line 37, in run_with_retry
      result = MessageWrapper(method(message, timeout=timeout), unwraps=unwraps)
    File "/Users/zacc/python_venv/ndecode/lib/python3.8/site-packages/grpc/_channel.py", line 946, in __call__
      return _end_unary_response_blocking(state, call, False, None)
    File "/Users/zacc/python_venv/ndecode/lib/python3.8/site-packages/grpc/_channel.py", line 849, in _end_unary_response_blocking
      raise _InactiveRpcError(state)
  grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
    status = StatusCode.UNAUTHENTICATED
    details = "Bad metadata key"
    debug_error_string = "{"created":"@1644210054.617217000","description":"Error received from peer ipv6:[::1]:8001","file":"src/core/lib/surface/call.cc","file_line":1075,"grpc_message":"Bad metadata key","grpc_status":16}"

Yes, I do believe this is an authentification issue but I am unsure if I am supplying this incorrectly or how to verify the ca.crt? I appreciate any help and guidance.

@0x55555555
Copy link
Contributor

To verify if local connections work, you can try setting MINKNOW_API_USE_LOCAL_TOKEN to force a local token connection:

MINKNOW_API_USE_LOCAL_TOKEN will cause minknow to use the token written to disk and avoid any other authentication systems.

We have specific changes to MinKNOW 5.0 to ship the API with its own copy of the certificate to make your certificate issues easier.

Let us know if that works - we can try to assist further.

@zchatt
Copy link
Author

zchatt commented Feb 8, 2022
edited

Thank you George. I am unsure of how MINKNOW_API_USE_LOCAL_TOKEN is passed as I could not find any instance of this in the minknow_api eg.'grep -r 'MINKNOW_API_USE_LOCAL_TOKEN' minknow_api/'

I was able to get start_protocol.py working by setting "--no-tls True". Whilst this does'nt solve the issue, its a workable solution for the short-term. Do you have know when MinKNOW 5.0 will be released?

@0x55555555
Copy link
Contributor

I dont know exactly when it will be released, but i would imagine a month or so.

@zchatt zchatt mentioned this issue Feb 24, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@0x55555555 @zchatt