Logshark icon indicating copy to clipboard operation
Logshark copied to clipboard

Published 20 hours ago verified publisher icon tableau

Docker version timeout when publishing to internal CA'd certificate tableau server

Open 0101binary0101 opened this issue 4 years ago • 2 comments

What do I need to get LogShark to publish to a tableau server using an unknown CA certificate, I assume that it's timing out because of the unknown CA issuer ?

I'm trying to use my docker built version of Logshark to publish to a Tableau 2018 server which has its certificate signed by a CA for the company, when I try to publish it receives a timeout.

dbug: Tools.TableauServerRestApi.TableauServerRestApi[0]
      => 21092013320943-server-20210920-apache
      Initializing TableauServerRestApi for site `` on `https://xxxx.xxxxx.xxx/`
dbug: LogShark.Writers.WorkbookPublisher[0]
      => 21092013320943-server-20210920-apache
      WorkbookPublisher -> Init TS API had to retry its action. This is retry number 1. Exception was: Timeout occurred while sending the request

If I test the RESTAPI via curl command I see the message: Peer's Certificate issuer is not recognized. But if I add the -k to turnoff certificate checks on the curl command I get a tableau session.

Here's the curl REST API test output..

[root@random XXXX]# curl https://xxxx.xxxxx.xxx/api/3.2/auth/signin -X POST -d @signin-restapi.xml
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

[root@random XXXX]# curl https://xxxx.xxxxx.xxx/api/3.2/auth/signin -X POST -k -d @signin-restapi.xml
<?xml version='1.0' encoding='UTF-8'?><tsResponse xmlns="http://tableau.com/api" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tableau.com/api http://tableau.com/api/ts-api-3.2.xsd"><credentials token="xxxxxx"><site id="xxxx" contentUrl=""/><user id="xxxxx"/></credentials></tsResponse>

0101binary0101 avatar Sep 20 '21 14:09 0101binary0101

If it fails because of the certificate error, I would expect the error message to say so instead of timeout, but it's hard to tell for sure. Even if timeout is caused by something else though (i.e. blocked port), certificate will be required sooner or later as default docker image doesn't have it.

The process to add certificate usually looks like this (add this line somewhere after second FROM statement) RUN curl --speed-time 1 --retry 5 --connect-timeout 1 https://certs.company.com/root-ca.crt > /usr/local/share/ca-certificates/root-ca.crt && update-ca-certificates This command downloads a certificate file from given URL, copies it into the directory where update-ca-certificates command can find it and then runs the command to add new certificate to the storage.

Xantrul avatar Sep 27 '21 20:09 Xantrul

Just FYI I worked around the issue using a script tabcmd linux to publish my workbooks up to the server and added the --no-certcheck flag.

0101binary0101 avatar Aug 31 '23 11:08 0101binary0101