Redfish-Event-Listener
Redfish-Event-Listener copied to clipboard
DMTF
Https receiving throwing error
Hi DMTF,
I am getting below error while destination is configured with https://
The subscription is successful but when I send the event from BMC it is failing.
Please provide the info where I can disable the https handshake but still I should be able to receive the https message.
Attempt 1 of /redfish/v1/ Response Time for GET to /redfish/v1/: 0.03368935314938426 seconds. Attempt 1 of /redfish/v1/EventService Response Time for GET to /redfish/v1/EventService: 0.06416380102746189 seconds. Attempt 1 of /redfish/v1/EventService/Subscriptions Response Time for POST to /redfish/v1/EventService/Subscriptions: 0.07108544814400375 seconds. Subscription is successful for https://127.0.0.1:2443, /redfish/v1/EventService/Subscriptions/3072935522 Continuing with Listener. Listening on 10.41.25.182:1234 via HTTPS Press Ctrl-C to close program ............. Socket connected:: Exception in thread Thread-1: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "/usr/lib/python3.8/threading.py", line 870, in run self._target(*self._args, **self._kwargs) File "RedfishEventListener_v1.py", line 52, in process_data connstreamout = context.wrap_socket(newsocketconn, server_side=True) File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket return self.sslsocket_class._create( File "/usr/lib/python3.8/ssl.py", line 1040, in _create self.do_handshake() File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1131)
This exception happens when the remote web server attempts to push an event, but the Redfish service hangs up the connection during TLS handshaking because it doesn't trust the event listener's certificate. There are a couple of options here:
- Set up the event listener with a certificate that the Redfish service trusts.
- Install the event listener's certificate on the Redfish service as a trusted certificate.
- Disable certificate checking in the event service for the Redfish service.
- Switch from HTTPS to HTTP.
Hi Mike Raineri Is there a way to disable handshake/ certificate verification in Eventlistener ?
It's not possible to disable TLS handshaking; that would break HTTPS.
Disabling of verification would need to be done on the Redfish service; the event listener is providing the certificate to the Redfish service, but the Redfish service is rejecting it and closing the connection. The event listener is not performing any verification.
looks like certificate from event listener has expired
root@abcd:/etc/ssl/certs openssl s_client -connect 10.41.25.182:1234 CONNECTED(00000003) Can't use SSL_get_servername depth=0 CN = RedfishEvent verify error:num=18:self-signed certificate verify return:1 depth=0 CN = RedfishEvent verify error:num=10:certificate has expired notAfter=May 24 12:39:02 2022 GMT verify return:1 depth=0 CN = RedfishEvent notAfter=May 24 12:39:02 2022 GMT verify return:1
Certificate chain 0 s:CN = RedfishEvent i:CN = RedfishEvent a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: May 24 12:39:02 2017 GMT; NotAfter: May 24 12:39:02 2022 GMT
Server certificate -----BEGIN CERTIFICATE----- MIIFBDCCAuygAwIBAgIJAJR2Z5lKdQbaMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV BAMMDFJlZGZpc2hFdmVudDAeFw0xNzA1MjQxMjM5MDJaFw0yMjA1MjQxMjM5MDJa MBcxFTATBgNVBAMMDFJlZGZpc2hFdmVudDCCAiIwDQYJKoZIhvcNAQEBBQADggIP ADCCAgoCggIBAMNMB3v/ZUCNxgLUyw6jYKZLkyqpUYXAw4vw6s9+23PqgKnuc9oZ FG5GYheBp/lsXcPUXq/jDe4GE3gaZEWrVUjNiHH6EPbEd0WbMEqguxWFuXaECCSh k2PHI1EYhDWgm2IUgrrMzt5m0M32CMo3IjteuGHbAhfcvYKrSV0enMXWC0M3Mja9 0GuMqp4JsyWpou/f+J7oXm8bV0uLUBNikAJlVqFAsg2diHh3e45y15CqGB5rJcGV MiVQSQ7LYKBryWs6+L0WoCO5N9pTm5fTJu5D+JWrdveDj50ZfJSXxR5bO9zP97uC HZfZshRjWnk+TcAxj1jhOgxe2AYWjWpxpjxu23hFmeu29DghmoFvWPjliJkPa3a2 Y51hE3g1Skd9zMh5UNTWdbIn87XElpNBgpnVyim3EvNXcMeZ3vLXEW1lpw8enIiX eCDnJBCBViV24bTOk+gMybEs4Zp4kuT38epz5rp3jMqaIp383opNLBtQiZ5ex3MT bU6oBGjN6sSaW1zZf0amoQYw0c1lVbZ6U7Na4Eyrr+LSeyZw1GpNZHwV9xGEnVkP Psgdt3nXICnjasJ5CHX04iCsJwuvpDXrR3FwJiZYYm3LANkkspDoryrb/kQRlKTs kk4nTBk/i7yqWom2rzCXejg/Gbb6DyKUEPLUlFqI7O3Nvq92IxzXGJ0LAgMBAAGj UzBRMB0GA1UdDgQWBBTBB0Tyst7jJx5dvYF2wIOLB0nYiTAfBgNVHSMEGDAWgBTB B0Tyst7jJx5dvYF2wIOLB0nYiTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB CwUAA4ICAQCgVYFHsCMmhHEur+38V/ciUokgL0TGxhkxZLmT+WdmyRC/I+6mM5mC yquh3qx8bVmDx24bD7VjkUdf+kXDrQkq1EfkSmXnCn8+eiShEPfzBAiU2gd0F6S+ iuz3SJMhTseKMhyBwDRzRUraSqMCmYwaeG/nbRvYjRxMmz0zzxOAnwQhE5WFh0Yv vhbtKHxnoIjL/EZ84nS7tiDv41zd1se5l0effc2B0sE4PAU1dxWSTgMTFNybYHxb 08YvSwXm2a4YHtIUw0hGf2CLB0TQWilXpksWs5N0p287n/4rOs03lvIjJZv1b0ZL B2GQ8C0PbIu7ZxPqePXPyDpsd2qv7LgYFCz1RdfjYzRRPbMu/5+NbOl1p4OVNY4i Xqy1j/zGa0tDw7DgtadNRa07UACBHhRORLFdbLJAezaKraXrota6TGl88SoaIxPv ujxOoSpD09g5zV82YxsV27m7cnsqIwuvt2yG66qd8E0v1MR6ln7r8qEbifZ6qVhv p93LmxGDTmrLjVWXG7QFwffsIabCPQwHgRXSq796wm/HxTpJ+1VtxT8ABdo6N6Ur utG1ltmpeislDagY0McMy0gAXqHfBb318ZprR0UemuGy6G4C74PZBKQtGjCf82iV B6jpbdZdvti3oGFrYTqgZ3DcGfvgALm5dci7TQOPmeACbmIWoGvuuA== -----END CERTIFICATE----- subject=CN = RedfishEvent issuer=CN = RedfishEvent
No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 2100 bytes and written 377 bytes Verification error: certificate has expired
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 10 (certificate has expired)