service-fabric-cli icon indicating copy to clipboard operation
service-fabric-cli copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Using "--no-verify" still getting "CERTIFICATE_VERIFY_FAILED" error

Open gheibia opened this issue 6 years ago • 7 comments

  • Using Version 7.0.2 of CLI on Mac (pip3 show sfctl)
  • Cluster version: 6.4.622.9590 hosted on Azure

Using a self signed client cert, the following command fails with:

Error occurred in request., SSLError: HTTPSConnectionPool(host='****.westus2.cloudapp.azure.com', port=19080): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1045)')))

Command:

sfctl cluster select --endpoint https://****.westus2.cloudapp.azure.com:19080 --key /Users/me/Downloads/sfc.key --cert /Users/me/Downloads/sfc.crt --no-verify

I was under the impression that --no-verify will skip the certificate verification step.

gheibia avatar Jan 09 '19 01:01 gheibia

@samedder @Christina-Kang

prasadker avatar Jan 10 '19 17:01 prasadker

To add a bit more information here:

The same cert works well with Powershell (on Windows) and directly OpenSsl (on both Mac and Windows):

Connect-ServiceFabricCluster -ConnectionEndpoint "****.westus2.cloudapp.azure.com:19000" -X509Credential -ServerCertThumbprint "**************************" -FindType Fin
dByThumbprint -FindValue "***************************"

Connects successfully (the first Thumbprint is the cluster's cert and the 2nd one is the my client cert which is added to the cluster as an admin and also has "keyCertSig" bit set on it). Obviously, I had to add the cert to a local store.

$ openssl s_client -cert /Users/me/Downloads/sfc.pem  -connect ****.westus2.cloudapp.azure.com:19080

Successfully opens a session and I can send a HTTP request.

gheibia avatar Jan 10 '19 18:01 gheibia

I have also tried "sfctl" on a windows machine knowing there are concerns with the version of openssl shipped with Mac. Same problem.

gheibia avatar Jan 10 '19 19:01 gheibia

@gheibia Thanks for reporting the issue!

Does sfctl cluster select also fail when using the pem file rather than the key and crt combo?

Verification should not be happening. Can you share the full error message from the command, with --debug, blocking out any sensitive information? You can also email me at [email protected] with the full error message instead. Thank you!

Christina-Kang avatar Jan 11 '19 23:01 Christina-Kang

@Christina-Kang yes, it fails with PEM files, as well. I'll email you the log directly.

gheibia avatar Jan 12 '19 18:01 gheibia

For anyone who lands here for an answer, as a workaround, one could call Service Fabric APIs directly through, say, cUrl:

See https://stackoverflow.com/questions/54089465/add-custom-header-to-all-responses-from-traefik-on-azures-service-fabric

gheibia avatar Jan 15 '19 18:01 gheibia

Any plans for this to be fixed? Issue still present in version 11.0.0

sayers avatar Oct 03 '23 09:10 sayers