I am using the following config.hcl for my Hashicorp server,
disable_mlock = true
storage "file" {
path = "/etc/secrets"
}
listener "tcp" {
address = "10.xx.xx.xx:8200"
tls_cert_file = "/etc/certs/selfsigned.crt"
tls_key_file = "/etc/certs/selfsigned.key"
}
it is working fine when i perform vault operations, But when i try reach it using hvac python library i am getting SSL error. The code i am using to connect to hashicorp server from python is,
import hvac
client = hvac.Client(url='https://10.xx.xx.xx:8200', cert=('/etc/certs/selfsigned.crt', '/etc/certs/selfsigned.key'))
client.token = 'd460cb82-08aa-4b97-8655-19b6593b262d'
client.is_authenticated()
The full error trace i am getting is as follows:-
Traceback (most recent call last): File "", line 1 , in File "/usr/local/lib/python2.7/dist-packages/hvac/v1/ init .py", line 552, in is_authenticated self.lookup_token() File "/usr/local/lib/python2.7/dist-packages/hvac/v1/ init .py", line 460, in lookup_token return self._get('/v1/auth/token/lookup-self', wrap_ttl=wrap_ttl).json() File "/usr/local/lib/python2.7/dist-packages/hvac/v1/ init .py", line 1236, in _get return self. request('get', url, **kwargs) File "/usr/local/lib/python2.7/dist-packages/hvac/v1/__init .py", line 1264, in __request allow_redirects=False, **_kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 512, in request resp = self.send(prep, **send_kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 622, in send r = adapter.send(request, **kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 511, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='10.xx.xx.xx', port=8200): Max retries exceeded with url: /v1/auth/token/lookup-self (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
According to hvac documentation Using TLS with client-side certificate authentication , you need to specify verify=server_cert_path
parameter.
Testing as below, i can get results as expected. btw with or without token
parameter, it could run successfully.
import hvac
client = hvac.Client(url='https://127.0.0.1:8200',
token='xxxxxxxx',
cert=('server.crt',
'server.key'),
verify='ca.crt')
res = client.is_authenticated()
print("res:", res)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.