shell.fetch and unautoritative certificates

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

shell.fetch and unautoritative certificates

rantav
I have an https service for which its certificate is "valid" but isn't signed by an autoritative CA.
This is normal in my business since real users never hit this service directly, only via a proxy, which does have the appropriate cert. (the internal service node has a different host name which is used for load balancing and fail over). So from the user's perspective this is fine.
When I use glu to deploy the service, after it's installed I run a test using shell.fetch which basically makes sure that the service is running and is healthy.
Now the problem is that since the service's certificate isn't properly signed by a CA, shell.fetch fails.
With wget I could use --no-check-certificate.
Is there a similar no-check-certificate option when using shell.fetch?
I could fall back to running a shell with `wget --no-check-certificat` but I would rather use shell.fetch if that's possible.

Thanks.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: shell.fetch and unautoritative certificates

frenchyan
Administrator
Ran

The code being executed is the following: https://github.com/linkedin/linkedin-utils/blob/master/org.linkedin.util-groovy/src/main/groovy/org/linkedin/groovy/util/io/GroovyIOUtils.groovy#L292

If you remember the code was actually enhanced because of your feature request (handling username/password).

As you can see under the cover it simply delegates to ant get task.

Quickly looking at the ant task it does not seem that it supports a no check certificate option :(

The quick answer to your question is no. The current shell.fetch method does not support this option. You may want to add a feature request and I will get to it at some point (unless you want to implement it of course :).

Sorry about that.
Yan
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: shell.fetch and unautoritative certificates

rantav
ok, the request is onĀ https://github.com/linkedin/glu/issues/50
Thanks and no problem :)

On Mon, May 2, 2011 at 6:37 PM, frenchyan [via glu] <[hidden email]> wrote:
Ran

The code being executed is the following: https://github.com/linkedin/linkedin-utils/blob/master/org.linkedin.util-groovy/src/main/groovy/org/linkedin/groovy/util/io/GroovyIOUtils.groovy#L292

If you remember the code was actually enhanced because of your feature request (handling username/password).

As you can see under the cover it simply delegates to ant get task.

Quickly looking at the ant task it does not seem that it supports a no check certificate option :(

The quick answer to your question is no. The current shell.fetch method does not support this option. You may want to add a feature request and I will get to it at some point (unless you want to implement it of course :).

Sorry about that.
Yan


If you reply to this email, your message will be added to the discussion below:
http://glu.977617.n3.nabble.com/shell-fetch-and-unautoritative-certificates-tp2888979p2890247.html
To start a new topic under glu, email [hidden email]
To unsubscribe from glu, click here.



--
/Ran

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: shell.fetch and unautoritative certificates

flefevre
Dear all
I am facing the same problem.
The implementation of "--no-check-certificat" is important but the implementation of "--ca-certificate" option also.
This option allwos to percise where are located the certificate.

Thanks.
Francois
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: shell.fetch and unautoritative certificates

frenchyan
Administrator
The code that you write in the glu script is groovy (and hence java).

glu provides a set of convenience methods and 'fetch' is one of them. It currently does not support this certificate functionality (there is a ticket to add it in the future). Under the cover it uses "ant" which does not support this functionality either.

In the meantime you can always implement it directly in the glu script (since you can write any groovy and/or java you want). If you are able to add it to your script, then simply send me the code and then it will be easier for me to add it to glu :)

Thanks
Yan
EB
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: shell.fetch and unautoritative certificates

EB
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: shell.fetch and unautoritative certificates

sodul
The fastest way to get this working it to add the self signed certificate to your JRE. We do that through Salt (like Puppet) so that all our machines that need our internal CA will work seamlessly.

Here are some options on how to tell the JRE to trust your custom certs:
http://stackoverflow.com/questions/20442273/how-to-programmatically-add-self-signed-certificate-for-making-a-https-request-f

http://www.chrissearle.org/2007/10/25/Adding_self-signed_https_certificates_to_java_keystore/

Doing this might require approval from you ops team.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: shell.fetch and unautoritative certificates

lukestephenon
In reply to this post by rantav
I've done similar with the following code (although I was just using it for localhost connections). It was in addition to the httpHead method of ShellImpl https://github.com/pongasoft/glu/blob/master/utils/org.linkedin.glu.utils/src/main/groovy/org/linkedin/glu/groovy/utils/shell/ShellImpl.groovy#L529
  
  /**
   * Issue a 'HEAD' request. The location should be an http or https link. This request ignores SSL for localhost.
   *
   * @param location
   * @return a map with the following entries:
   * responseCode: 200, 404... {@link java.net.HttpURLConnection#getResponseCode()}
   * responseMessage: message {@link java.net.HttpURLConnection#getResponseMessage()}
   * headers: representing all the headers {@link java.net.URLConnection#getHeaderFields()}
   */
  Map httpHeadIgnoreSSLTrust(location)
  {
    Map res = [:]
    
    if (location.startsWith('https')) {
      def nullTrustManager = [
          checkClientTrusted: { chain, authType ->  },
          checkServerTrusted: { chain, authType ->  },
          getAcceptedIssuers: { null }
      ]

      def localHostnameVerifier = new javax.net.ssl.HostnameVerifier() {
          public boolean verify(String hostname, javax.net.ssl.SSLSession sslSession) {
              if (hostname.equals('localhost')) {
                  return true;
              }
              return false;
          }
      }
    
      SSLContext sc = SSLContext.getInstance("SSL")
      sc.init(null, [nullTrustManager as X509TrustManager] as TrustManager[], null)

      URI uri = GroovyNetUtils.toURI(location)
      
      URL url = uri.toURL()
          
      URLConnection cx = url.openConnection()
      
      try
      {
        if(cx instanceof HttpURLConnection)
        {
          cx.setSSLSocketFactory(sc.getSocketFactory())
          cx.setHostnameVerifier(localHostnameVerifier as HostnameVerifier)
          cx.requestMethod = 'HEAD'
          cx.doInput = true
          cx.doOutput = false

          cx.connect()

          res.responseCode = cx.responseCode
          res.responseMessage = cx.responseMessage
          res.headers = cx.headerFields
        }
      }
      finally
      {
        if(cx.respondsTo('close'))
          cx.close()
      }
    } 
    else {
        res = httpHead(location)	
    }
    
    return res
  }
Loading...