Opened at 2016-06-09T07:01:41Z
Last modified at 2016-07-03T18:27:46Z
#2791 new defect
Tahoe CLI / SSL certificate — at Initial Version
| Reported by: | cedric | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | undecided |
| Component: | code-frontend-cli | Version: | 1.11.0 |
| Keywords: | Cc: | ||
| Launchpad Bug: |
Description
Hi,
I'm running a small grid with few nodes. I use Web API through HTTPS with self signed certificates/Internal CA I'm dealing with some troubles when i call tahoe cli (eg: tahoe create-alias....).
"tahoe create-alias test" return error: Traceback (most recent call last):
File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/runner.py", line 162, in run
rc = runner(sys.argv[1:], install_node_control=install_node_control)
File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/runner.py", line 147, in runner
rc = cli.dispatch[command](so)
File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/cli.py", line 486, in create_alias
rc = tahoe_add_alias.create_alias(options)
File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/tahoe_add_alias.py", line 85, in create_alias
resp = do_http("POST", url)
File "/venv/local/lib/python2.7/site-packages/allmydata/scripts/common_http.py", line 70, in do_http
c.endheaders()
File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
self.send(msg)
File "/usr/lib/python2.7/httplib.py", line 812, in send
self.connect()
File "/usr/lib/python2.7/httplib.py", line 1212, in connect
server_hostname=server_hostname)
File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
_context=self)
File "/usr/lib/python2.7/ssl.py", line 566, in init
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 796, in do_handshake
match_hostname(self.getpeercert(), self.server_hostname)
File "/usr/lib/python2.7/ssl.py", line 273, in match_hostname
% (hostname, dnsnames[0]))
CertificateError?: hostname '127.0.0.1' doesn't match u'Myhostname'
SSL certificate has CN=Myhostname and an alternative name IP.1=127.0.0.1. CA certificate is available in /etc/ssl/certs/ and c_rehash done.
openssl s_client -connect 127.0.0.1:3456 -CApath /etc/ssl/certs/ return "Ok".
It seem that ssl.py is only try to verify CN == hostname, there is no verification on alternative name.
The only way i've found to get tahoe cli working is to change node.url by replacing https://127.0.0.1:3456 by https://Myhostname:3456
I missed something?
Thanks for your help and thanks for the great job on Tahoe-LAFS!
