salt-api bug TLS for ubuntu 16.04 ?

Created on 18 Nov 2016  路  9Comments  路  Source: saltstack/salt

Description of Issue/Question

curl: (56) GnuTLS recv error (-15): An unexpected TLS packet was received.

Setup

Create key

salt-call tls.create_self_signed_cert
#or 
openssl genrsa -out /etc/ssl/private/key.pem 4096
openssl req -new -x509 -key /etc/ssl/private/key.pem -out /etc/ssl/private/cert.pem -days 1826

Config API
api.conf

rest_cherrypy:
  host: xxxx
  port: 8082
  #disable_ssl: True
  ssl_crt: /etc/ssl/private/cert.pem
  ssl_key: /etc/ssl/private/key.pem

Curl run command
curl -k https://xxxx:8082/login -H "Accept: application/x-yaml" -d username='user' -d password='password' -d eauth='pam'

curl: (56) GnuTLS recv error (-15): An unexpected TLS packet was received.

Steps to Reproduce Issue

(Include debug logs if possible and relevant.)

Versions Report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

Salt Version:
           Salt: 2016.3.4

Dependency Versions:
           cffi: Not Installed
       cherrypy: 3.5.0
       dateutil: 2.4.2
          gitdb: 0.6.4
      gitpython: 1.0.1
          ioflo: Not Installed
         Jinja2: 2.8
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: 1.0.3
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: 1.3.7
      pycparser: Not Installed
       pycrypto: 2.6.1
         pygit2: Not Installed
         Python: 2.7.12 (default, Jul  1 2016, 15:12:24)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.2.0
           RAET: Not Installed
          smmap: 0.9.0
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4

System Versions:
           dist: Ubuntu 16.04 xenial
        machine: x86_64
        release: 4.4.0-42-generic
         system: Linux
        version: Ubuntu 16.04 xenial
Bug P4 RIoT Salt-API severity-medium
Source
picture guobiao-cn

Most helpful comment

I've encountered the same and was able to resolve it by upgrading cherrypy to 8.1.2 (pip install --upgrade cherrypy) and restarting salt-master and salt-api services.

picture joeydouglas on 2 Dec 2016
👍4 😄1

All 9 comments

Other curl version
curl -k https://xxxx:8082/login -H "Accept: application/x-yaml" -d username='user' -d password='password' -d eauth='pam'

curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
guobiao-cn picture guobiao-cn on 18 Nov 2016

Okay so it seems there a quit a few issues with ubuntu16 and cherrpy version 3.5. I was able to replicate your issue, but when install 3.2.3 of cherrypy it started working. So you can use that as a workaround

There are a couple issues that document ubuntu16 and cherrypy 3.5 issues, but yours is different behavior so I will keep this open but refer to these other issue for documenting purposes:

35320 #34219

Ch3LL picture Ch3LL on 21 Nov 2016
👍1

What's the correct way to install cherrypy 3.2.3? I did the following:

curl -O https://codeload.github.com/cherrypy/cherrypy/tar.gz/3.2.3
tar -xvzf 3.2.3
sudo python setup.py install

service salt-master restart
service salt-api restart

Which seemed to work:

Salt Version:
           Salt: 2016.11.0

Dependency Versions:
           cffi: Not Installed
       cherrypy: 3.2.3
       dateutil: 2.4.2
          gitdb: 0.6.4
      gitpython: 1.0.1
          ioflo: Not Installed
         Jinja2: 2.8
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: 1.0.3
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
         pygit2: Not Installed
         Python: 2.7.12 (default, Nov 19 2016, 06:48:10)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.2.0
           RAET: Not Installed
          smmap: 0.9.0
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4

System Versions:
           dist: Ubuntu 16.04 xenial
        machine: x86_64
        release: 4.4.0-47-generic
         system: Linux
        version: Ubuntu 16.04 xenial

Configuration in master:

rest_cherrypy:
  port: 8000
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/certs/localhost.key
  webhook_disable_auth: True
  webhook_url: /hook

Then using curl:

curl -H "Accept: application/json" -H "Content-type: application/json" --data '{"service":"nginx"}' -k https://localhost:8000/hook/restart
curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.

I'm still getting the same error.

billscheidel picture billscheidel on 1 Dec 2016

I've encountered the same and was able to resolve it by upgrading cherrypy to 8.1.2 (pip install --upgrade cherrypy) and restarting salt-master and salt-api services.

joeydouglas picture joeydouglas on 2 Dec 2016
👍4 😄1

I can confirm that this issue is still existing with Ubuntu 16.04, salt installed via. official salt repository:

Work-around that was suggest above works well, but I used pip to install cherrypy==3.2.3.

  1. $ sudo rm -r /usr/lib/python2.7/dist-packages/cherrypy/ # (may be there is a better/safer way)
  2. $ sudo pip install cherrypy==3.2.3
  3. $ sudo systemctl restart salt-master salt-api

And, now curl/pepper commands run like magic with the self-signed certificates.

```# salt --versions-report
Salt Version:
Salt: 2016.11.3

Dependency Versions:
cffi: Not Installed
cherrypy: 3.2.3
dateutil: 2.4.2
gitdb: 0.6.4
gitpython: 1.0.1
ioflo: Not Installed
Jinja2: 2.8
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: Not Installed
Mako: 1.0.3
msgpack-pure: Not Installed
msgpack-python: 0.4.6
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pygit2: Not Installed
Python: 2.7.12 (default, Nov 19 2016, 06:48:10)
python-gnupg: Not Installed
PyYAML: 3.11
PyZMQ: 15.2.0
RAET: Not Installed
smmap: 0.9.0
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.1.4

System Versions:
dist: Ubuntu 16.04 xenial
machine: x86_64
release: 4.4.0-64-generic
system: Linux
version: Ubuntu 16.04 xenial
```

I wonder if this issue persists with CentOS 7, did not find it yet. As we are running mixed environments (OS), some sort of unification/pinning these versions w.r.t. salt release version should be a good idea.

dguitarbite picture dguitarbite on 28 Mar 2017
👍2

curl -k https://127.0.0.1:8000/login -H "Accept: application/x-yaml" -d username='saltapi' -d pas
curl: (56) GnuTLS recv error (-15): An unexpected TLS packet was received.

kakazhang10 picture kakazhang10 on 9 Aug 2017

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

stale[bot] picture stale[bot] on 4 Dec 2018

It is still an issue with ubunut16.04

goutkannan picture goutkannan on 27 Feb 2019

Thank you for updating this issue. It is no longer marked as stale.

stale[bot] picture stale[bot] on 4 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

QuinnyPig picture QuinnyPig  路  49Comments
chrismoos picture chrismoos  路  54Comments
arnisoph picture arnisoph  路  57Comments
driskell picture driskell  路  64Comments
shantanub picture shantanub  路  71Comments