作者:张华 发表于:2020-07-07
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明
问题
在测试rbac时, 下列rbac调用candid时会报CERTIFICATE_VERIFY_FAILED这个错. 在读了rbac的代码之后, 确定rbac是在调用 https://node1.lan:8081/discharge/info 时抛的错.
maas (maas configauth --rbac-url https://node1.lan:5000/ --rbac-service-name maastest) -> rbac with https (https://node1.lan:5000/) -> candid with https (https://node1.lan:8081/discharge/info) -> ldap with https
奇怪的是, 我已经运行过这个命令( cp ~/certs/ca.crt /usr/share/ca-certificates/extras/ldap.crt && dpkg-reconfigure ca-certificates )了. 不应该啊.
sudo update-ca-certificates --fresh
$ export SSL_CERT_DIR=/etc/ssl/certs
curl测试
运行下列三个命令均无问题:
curl https://node1.lan:8081/discharge/info
curl https://node1.lan:8081/discharge/info -k
curl https://node1.lan:8081/discharge/info --cacert ~/certs/ca.crt
python测试 - urllib2.request
下列python代码测试也没问题
sudo bash -c 'cat > test.py' << EOF
#!/usr/bin/env python
import sys
import ssl
try:
import urllib2 #python2
except:
import urllib.request as urllib2 #python3
req = urllib2.Request(sys.argv[1], headers={'Bakery-Protocol-Version':'3'})
print(urllib2.urlopen(req).read())
EOF
mkdir /usr/share/ca-certificates/extras
cp ~/certs//ca.crt /usr/share/ca-certificates/extras/ldap.crt && dpkg-reconfigure ca-certificates
python test.py https://node1.lan:8081/discharge/info
python测试 - requests
奇了怪了, 只好继续调试代码, 发现rbac使用了pymacaroons (https://github.com/ecordell/pymacaroons), pymacaroons它又会调用requests (不是urllib2.request)
所以继续写了一个python测试, 问题就重现了:
bash -c 'cat > test2.py' << EOF
#!/bin/env python
import sys
import requests
url = sys.argv[1]
print(requests.get(url).read())
EOF
$ python test2.py https://node1.lan:8081/discharge/info
...
requests.exceptions.SSLError: HTTPSConnectionPool(host='node1.lan', port=8081): Max retries exceeded with url: /discharge/info (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificat