Docker Windows | x509: certificate is not valid for any names - docker

I am pushing OTEL traces to splunk and facing below error.
{"kind": "exporter", "name": "splunk_hec", "error": "Post \https://prd-p-fyu1e.splunkcloud.com:8088/services/collector\: x509: certificate signed by unknown authority, but wanted to match prd-p-fyu1e.splunkcloud.com", "interval": "29.295443106s"}
I am using windows dockers desktop. Any pointers what is missing
Snippet of OTEL Collector exporters:
splunk_hec:
token: "11d4f458-XXXXX-42cd"
endpoint: "prd-p-fyu1e.splunkcloud.com:8088/services/collector"

I guess you are using splunkhecexporter, so disable cert verification:
insecure_skip_verify: true
Apparently, Splunk cloud doesn't use correct TLS cert from well known CA in this case.

Related

CA Certs used by GRPC

When I execute google-ads python sample code I get the following error
DEBUG:google.auth.transport.requests:Making request: POST https://accounts.google.com/o/oauth2/token
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): accounts.google.com:443
DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "POST /o/oauth2/token HTTP/1.1" 200 None
E0421 09:57:53.365121806 21019 ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
INFO:google.ads.googleads.client:Request
-------
Method: /google.ads.googleads.v6.services.GoogleAdsService/SearchStream
Host: googleads.googleapis.com
Headers: {
"developer-token": "REDACTED",
"x-goog-api-client": "gl-python/3.8.6 grpc/1.37.0 gax/1.26.3",
"x-goog-request-params": "customer_id="
}
Request: query: "\n SELECT\n campaign.id,\n campaign.name\n FROM campaign\n ORDER BY campaign.id"
Response
-------
Headers: {}
Fault: {
"created": "#1619013473.365323139",
"description": "Failed to pick subchannel",
"file": "src/core/ext/filters/client_channel/client_channel.cc",
"file_line": 5419,
"referenced_errors": [
{
"created": "#1619013473.365317068",
"description": "failed to connect to all addresses",
"file": "src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc",
"file_line": 397,
"grpc_status": 14
}
]
}
I am behind a corporate network that uses its own certificate for every Internet connection.
Our servers trust the internal certificates. I replaced the CA certs in certifi with our CA certs and urllib3 connects fine to both accounts.google.com and googleads.googleapis.com.
curl to both URLs work fine as well
From the error above looks like urllib3 connected fine but GRPC had an issue. Given curl works, the OS ca certs are fine so where does GRPC pick the ca certs from that I would need to add our corporate issuer certs to?
google-ads: 10.0.0 / python: 3.8.0 / RHEL7
If the corporate network has a proxy swaps the credentials, CERTIFICATE_VERIFY_FAILED might occur. You may want to supply your company's root credentials via https://grpc.github.io/grpc/python/grpc.html#create-client-credentials. I'm not sure how to do it with google-auth, you may want to post your question there: https://github.com/googleapis/google-auth-library-python

Not able to replace AKS server APP ID Key for RBAC

I need to replace AKS server AAD APP secret key, have tried ARM template increment deployment to achieve this, but failed with following error.
New-AzureRmResourceGroupDeployment : 2:00:42 PM - Error: Code=PropertyChangeNotAllowed; Message=Provisioning of resource(s) for container service
test-aks-emea in resource group test-emea-kubernetes failed. Message: {
"code": "PropertyChangeNotAllowed",
"message": "Changing property 'aadProfile.serverAppSecret' is not allowed.",
"target": "aadProfile.serverAppSecret"
}.
Is there any other other way we can replace the secret key without redeploying to cluster?
I have found the way to reset the resetAAD profile with new secret key using REST API POST method
https://learn.microsoft.com/en-us/rest/api/aks/managedclusters/resetaadprofile

Secure Gateway Client fails to recognize gatewayid or sectoken on docker run, error 401

When trying to execute docker container with gatewayid & sectoken, it fails with error "The Secure Gateway gateway ID was either not recognized or requires a security token to connect, error was: 401". And yet when I manually add via the CLI, it's successful.
I suspect it's because my security token has '--' in it. I tried '', "", and escaping characters on command line. but nothing worked. Fails in both Win10 and RHEL7.
Here's the console:
C:\Users\DebraJohnson>docker run -p 9023:9003 -it ibmcom/secure-gateway-client <gateway_id> --t <sectoken>
IBM Bluemix Secure Gateway Client Version 1.8.0fp4
....
<press enter for the command line>
[2018-04-16 09:12:17.993] [INFO] (Client ID 1) No password provided. The UI will not require a password for access
[2018-04-16 09:12:18.008] [WARN] (Client ID 1) UI Server started. The UI is not currently password protected
[2018-04-16 09:12:18.009] [INFO] (Client ID 1) Visit localhost:9003/dashboard to view the UI.
cli> [2018-04-16 09:12:18.327] [INFO] (Client ID 13) Setting log level to INFO
[2018-04-16 09:12:18.665] [ERROR] (Client ID 13) The Secure Gateway gateway ID was either not recognized or requires a security token to connect, error was: 401
cli> [2018-04-16 09:12:18.671] [INFO] (Client ID 13) Process exiting without errors due to user or server request
cli> sectoken <sectoken>
cli> connect <gateway_id>
cli> [2018-04-16 09:12:43.095] [INFO] (Client ID 27) Setting log level to INFO
[2018-04-16 09:12:43.774] [INFO] (Client ID 27) The Secure Gateway tunnel is connected
[2018-04-16 09:12:43.868] [INFO] (Client ID xxxxxxxxxxx_Hsu) Your Client ID is xxxxxxxxxxx_Hsu
xxxxxxxxxxx_Hsu>
Thanks
Having a -- as part of the security token could be the reason why you got 403 error. Can you please try regenerating the security token and connect the gateway again.
If you still have issues please open a support ticket (https://console.bluemix.net/docs/get-support/howtogetsupport.html#getting-customer-support) where you can provide the gateway id for us to look further into this.

IBM Mobile First - Http request failed: javax.net.ssl.SSLHandshakeException

I am trying to consume an OData service using SAP Netweaver Gateway Adapters. But I am facing an issue like below
Runtime: Http request failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Here is my worklight.properties
########## MobileFirst SSL keystore
#############################################
#SSL certificate keystore location.
ssl.keystore.path=conf/default.keystore
#SSL certificate keystore type (jks or PKCS12)
ssl.keystore.type=jks
#SSL certificate keystore password.
ssl.keystore.password=<keystorepassword>
Here is my adapter.xml
<connectivity>
<connectionPolicy xsi:type="nwgateway:NWGatewayHTTPConnectionPolicyType">
<protocol>https</protocol>
<domain>mydomain</domain>
<port>myport</port>
<connectionTimeoutInMilliseconds>30000</connectionTimeoutInMilliseconds>
<socketTimeoutInMilliseconds>30000</socketTimeoutInMilliseconds>
<serviceRootUrl>/sap/opu/odata/SAP/ZBIN_POC_SRV/</serviceRootUrl>
<authentication>
<basic/>
<serverIdentity>
<client>001</client>
<username>username</username>
<password>password</password>
</serverIdentity>
</authentication>
<!-- Following properties used by adapter's key manager for choosing specific certificate from key store-->
<sslCertificateAlias></sslCertificateAlias>
<sslCertificatePassword></sslCertificatePassword>
<maxConcurrentConnectionsPerNode>50</maxConcurrentConnectionsPerNode>
</connectionPolicy>
</connectivity>
<procedure name="retrieveTravelAgency"/>
And also I imported default.keystore here, PFA
Here is the link I am following.
Can anyone help me out on this, Thanks in advance.

MQTT:SSL routines:SSL3_GET_RECORD:wrong version number

I am trying to use SSL with MQTT and gets following error,
1379677998: Client connection from 127.0.0.1 failed: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.
1379678058: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1379678058: Socket read error on client (null), disconnecting.
My conf file has seetings as below,
port 8883
cafile /home/administrator/Downloads/mosquitto-1.2.1_dilip/test/ssl/test-root-ca.crt (also tried all-ca.crt here)
certfile /home/administrator/Downloads/mosquitto-1.2.1_dilip/test/ssl/server.crt
keyfile /home/administrator/Downloads/mosquitto-1.2.1_dilip/test/ssl/server.key
tls_version tlsv1
require_certificate true (tried commenting this too)
and I run, 08-ssl-connect-cert-auth.test from test folder. code snippet included below
mosquitto_tls_opts_set(mosq, 1, "tlsv1", NULL);
mosquitto_tls_set(mosq, "../ssl/test-root-ca.crt", "../ssl/certs", "../ssl/client.crt", "../ssl/client.key", NULL);
mosquitto_connect_callback_set(mosq, on_connect);
mosquitto_disconnect_callback_set(mosq, on_disconnect);
rc = mosquitto_connect(mosq, "localhost", 8883, 60);
Environment info:
Python 2.7.3
OpenSSL 1.0.1 14 Mar 2012
Description: Ubuntu 12.04.2 LTS
Release: 12.0
mosquitto-1.2.1/mosquitto-1.2
Please let me know what could go wrong here? I also tried generating certificates using gen.sh.
Thanks in advance.
-Dilip
On a general note - you should be generating your own certificates, don't use the ones provided by mosquitto for testing, or use the gen.sh script without modifying it for your own details.
To use the certificates provided, you should be using all-ca.crt in the broker. It contains the example root CA and intermediary CA certificates. The client only requires the root CA for verification purposes.
You are using a full path to the certificates in the broker configuration, but relative paths in the client. Are you sure that they are both correct?
Have you tried running the tests unmodified with make test? This would tell you if there is a problem with your openssl installation for example.

Resources