st2 icon indicating copy to clipboard operation
st2 copied to clipboard
verified publisher icon StackStorm

Ignore certificate validation for index_url

Open hgjsj opened this issue 2 years ago • 6 comments

Stackstorm v3.8.0 running on RHEL 7.9

Stackstorm instance is running behind firewall, there is no access to intenet, there is no proxy servers for instance either.

stackstorm can't access index.json file located in "https://exchange.stackstorm.org/v1/index.json". Due to this, st2 web UI will never show packs infomation after "Packs" button clicked, always blank.

Thus I download index.json file from github, and put it to our internal web server(nginx) where stackstorm instance can access, and re-configure st2.conf file, point index_url to our web server which acces via https

[content] index_url=https://pln-n1-eso4sap4.env01.mcloud.entsvcs.net:8080/st2/index.json

Because of self-signed certificate is used by web server, stackstorm instance can't pass validation when it access web server, and I found error message in st2api.log

2023-05-19 02:35:49,788 140355129762016 ERROR packs [-] Index parsing error: { "url": "https://pln-n1-eso4sap1.env01.mcloud.entsvcs.net:8080/st2/index.json", "packs": 0, "message": "SSLError(MaxRetryError("HTTPSConnectionPool(host='pln-n1-eso4sap1.env01.mcloud.entsvcs.net', port=8080): Max retries exceeded with url: /st2/index.json (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))",),)", "error": "unresponsive" } 2023-05-19 02:35:49,788 140355129762016 ERROR router [-] Failed to call controller function "get_all" for operation "st2api.controllers.v1.packs:packs_controller.index.get_all": No results from the index: tried https://pln-n1-eso4sap1.env01.mcloud.entsvcs.net:8080/st2/index.json. Status: [ { "url": "https://pln-n1-eso4sap1.env01.mcloud.entsvcs.net:8080/st2/index.json", "packs": 0, "message": "SSLError(MaxRetryError("HTTPSConnectionPool(host='pln-n1-eso4sap1.env01.mcloud.entsvcs.net', port=8080): Max retries exceeded with url: /st2/index.json (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))",),)", "error": "unresponsive" } ]

Have any settings to ignore certificate verification? or any method workaround?

hgjsj avatar May 19 '23 09:05 hgjsj

Anybody help on this?

hgjsj avatar May 22 '23 04:05 hgjsj

You can try to identify what Python is using as a certificate store and mark your self-segned certificate as a trusted. The direction of thinking I'd try: https://stackoverflow.com/questions/42982143/python-requests-how-to-use-system-ca-certificates-debian-ubuntu

arm4b avatar Jun 08 '23 20:06 arm4b

@armab Thank you for reply. I will try this.

At mean time, Do you consider enhancement for "skip_verification" configurable in st2.conf file in future release? You know lots of instances running in datacenter are inaccessible to internet and use self-signed certificates for internal services authentication and communication by https/ssl. It is common case for many applications to configure cert verification or not.

hgjsj avatar Jun 09 '23 02:06 hgjsj

I ended up setting the index url in the st2 config to a nonexistent url. This caused st2 to skip the index altogether. pack installs are much faster now.

guzzijones avatar Jul 13 '23 02:07 guzzijones

Is there no setting for a certificate in the config?

guzzijones avatar Jul 23 '23 03:07 guzzijones

@guzzijones I didn't find any configuration for certificate validation in st2 config file. Please advise if it is confugrable.

image

hgjsj avatar Jul 23 '23 13:07 hgjsj