Cannot download apps from splunkbase behind a TLS-inspecting corporate web proxy

[Res260]

trafficstars

Title says it all. Here is an example error:

2024-10-24 12:58:01 "/usr/lib/python3.9/site-packages/requests/adapters.py", line 489, in send
2024-10-24 12:58:01 resp = conn.urlopen(   File "/usr/lib/python3.9/site-
2024-10-24 12:58:01 packages/urllib3/connectionpool.py", line 802, in urlopen     retries =
2024-10-24 12:58:01 retries.increment(   File "/usr/lib/python3.9/site-
2024-10-24 12:58:01 packages/urllib3/util/retry.py", line 594, in increment     raise
2024-10-24 12:58:01 MaxRetryError(_pool, url, error or ResponseError(cause))
2024-10-24 12:58:01 urllib3.exceptions.MaxRetryError:
2024-10-24 12:58:01 HTTPSConnectionPool(host='splunkbase.splunk.com', port=443): Max retries
2024-10-24 12:58:01 exceeded with url: /api/account:login/ (Caused by
2024-10-24 12:58:01 SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
2024-10-24 12:58:01 certificate verify failed: unable to get local issuer certificate
2024-10-24 12:58:01 (_ssl.c:1133)')))  During handling of the above exception, another exception
2024-10-24 12:58:01 occurred:  Traceback (most recent call last):   File
2024-10-24 12:58:01 "/opt/ansible/inventory/environ.py", line 891, in <module>     main()   File
2024-10-24 12:58:01 "/opt/ansible/inventory/environ.py", line 877, in main
2024-10-24 12:58:01 getSplunkInventory(inventory)   File "/opt/ansible/inventory/environ.py", line
2024-10-24 12:58:01 95, in getSplunkInventory     inventory["all"]["vars"] = getDefaultVars()
2024-10-24 12:58:01 File "/opt/ansible/inventory/environ.py", line 146, in getDefaultVars
2024-10-24 12:58:01 getSplunkbaseToken(defaultVars)   File "/opt/ansible/inventory/environ.py",
2024-10-24 12:58:01 line 350, in getSplunkbaseToken     resp =
2024-10-24 12:58:01 requests.post("https://splunkbase.splunk.com/api/account:login/",   File
2024-10-24 12:58:01 "/usr/lib/python3.9/site-packages/requests/api.py", line 115, in post
2024-10-24 12:58:01 return request("post", url, data=data, json=json, **kwargs)   File
2024-10-24 12:58:01 "/usr/lib/python3.9/site-packages/requests/api.py", line 59, in request
2024-10-24 12:58:01 return session.request(method=method, url=url, **kwargs)   File
2024-10-24 12:58:01 "/usr/lib/python3.9/site-packages/requests/sessions.py", line 587, in request
2024-10-24 12:58:01 resp = self.send(prep, **send_kwargs)   File "/usr/lib/python3.9/site-
2024-10-24 12:58:01 packages/requests/sessions.py", line 701, in send     r = adapter.send(request,
2024-10-24 12:58:01 **kwargs)   File "/usr/lib/python3.9/site-packages/requests/adapters.py", line
2024-10-24 12:58:01 563, in send     raise SSLError(e, request=request)
2024-10-24 12:58:01 requests.exceptions.SSLError: HTTPSConnectionPool(host='splunkbase.splunk.com',
2024-10-24 12:58:01 port=443): Max retries exceeded with url: /api/account:login/ (Caused by
2024-10-24 12:58:01 SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
2024-10-24 12:58:01 certificate verify failed: unable to get local issuer certificate
2024-10-24 12:58:01 (_ssl.c:1133)')))
2024-10-24 12:58:01 [WARNING]:  * Failed to parse /opt/ansible/inventory/environ.py with ini
2024-10-24 12:58:01 plugin: /opt/ansible/inventory/environ.py:16: Expected key=value host variable
2024-10-24 12:58:01 assignment, got: __future__
2024-10-24 12:58:01 [WARNING]: Unable to parse /opt/ansible/inventory/environ.py as an inventory
2024-10-24 12:58:01 source
2024-10-24 12:58:01 ERROR! No inventory was parsed, please check your configuration and options.

Here, splunkbase.splunk.com cannot be accessed because the cert is not recognized (because of the TLS-inspecting corporate proxy).

I read the documentation, and there seems to exist no way of disabling TLS/SSL verification with an environment variable.

In some organizations, removing TLS inspections on a domain is hard and I think docker-splunk should provide an option to either provide an intermediate CA or disable TLS verification altogether.

[yaroslav-nakonechnikov]

related: https://github.com/splunk/docker-splunk/issues/604

as a workaround you can use pre-start playbook to inject CA.

[Res260]

@yaroslav-nakonechnikov do you have a working command/code to show a working example? Thanks!