I had an issue in nodejs, when I use the API link https://hostname:8089
return new NoSQLClient({
serviceType: ServiceType.KVSTORE,
endpoint: 'localhost:8089'
});
I'm getting error like this,
Error: [REQUEST_TIMEOUT] Operation timed out after 10000 ms and 6 retries; Caused by: [NETWORK_ERROR] Network error; Caused by: socket hang up
There is nothing wrong with the query, it's about the port, you have to expose the port first and then try it...or disable the firewall
This error happens when you are trying to access a secure KVStore using a non-secure connection call ( http://localhost:8089 )
NoSQLTimeoutError: [REQUEST_TIMEOUT] Operation timed out after 10000 ms
and 6 retries; Caused by: [NETWORK_ERROR] Network error;
Caused by: socket hang up
When accessing a secure KVstore, you need also to provide a user/pwd. If not, you will have the following error
NoSQLArgumentError: [ILLEGAL_ARGUMENT] TABLE_REQUEST: Illegal Argument:
Missing authentication information
Here is an example of a connection string (see https, if this value is not set you will use http by default):
return new NoSQLClient({
serviceType: ServiceType.KVSTORE,
endpoint: 'https://localhost:8089'
, auth: {
kvstore: {
user: "driver_user",
password: "DriverPass##123"
}
}
});
In a secure mode, the proxy requires an SSL Certificate and private key. You need to provide the certificate, before running your application, set the environment variable NODE_EXTRA_CA_CERTS
export NODE_EXTRA_CA_CERTS=<yourpath>/certificate.pem
Without the certificate, you will have the following error:
NoSQLAuthorizationError: [REQUEST_TIMEOUT] Authorization error:
[operation timeout]: Failed to login to kvstore.
Operation timed out, see the cause
You also need to validate the requested domain name to match the server's certificate.
$ curl --cacert ~/certificate.pem https://localhost:8089
curl: (51) Unable to communicate securely with peer: requested domain name
does not match the server's certificate.
In this case, you need to change the certificate or use the appropriate URL
$ openssl x509 -text -noout -in ~/certificate.pem | grep CN
Issuer: CN=kvlite
Subject: CN=kvlite
$ curl --cacert ~/certificate.pem https://kvlite:8080
If your CN is not localhost, use an url matching with the certificate (e.g.)
return new NoSQLClient({
serviceType: ServiceType.KVSTORE,
endpoint: 'https://kvlite:8089'
, auth: {
kvstore: {
user: "driver_user",
password: "DriverPass##123"
}
}
});
Related
I have a custom Databricks instance with a Domain name that points to an AWS Load Balancer. When I put that information in using either the HTTP instructions here or the databricks cluster instructions here, I get this response in the DBT CLI:
Connection:
host: https://subdomain.domain.com
port: 443
cluster: 123456-stuff00003
endpoint: None
schema: default
organization: 0
16:40:39.470091 [debug] [MainThread]: Acquiring new spark connection "debug"
16:40:39.471632 [debug] [MainThread]: Using spark connection "debug"
16:40:39.472524 [debug] [MainThread]: On debug: select 1 as id
16:40:39.472953 [debug] [MainThread]: Opening a new connection, currently in state init
Connection test: [ERROR]
1 check failed:
dbt was unable to connect to the specified database.
The database returned the following error:
>Runtime Error
Database Error
failed to connect
Unfortunately, DBT's debugging logs are terrible and I am not entirely sure why it is failing. I do know that when I connect to the cluster via Intellij I have to provide the CA file, the Client Certificate file, and the Client key file, because I am using a self-signed SSL cert (unfortunately, the self signed cert is required). Also, when defining my ~/.databrickscfg file I have to provide the argument insecure = true.
I've encountered this issue recently and I fixed it by installing root certificates by executing the "Install Certificates.command" script in the python home directory used to run dbt.
Laurent
I'm trying to build a Docker image, based on ubuntu:20.04, with R and bookdown with PDF support. But I'm getting ERROR: cannot verify yihui.org's certificate [...] with tinytex::install_tinytex():
> tinytex::install_tinytex()
trying URL 'https://yihui.org/tinytex/TinyTeX-1.tar.gz'
trying URL 'https://yihui.org/tinytex/TinyTeX-1.tar.gz'
--2020-11-23 09:19:05-- https://yihui.org/tinytex/TinyTeX-1.tar.gz
Resolving yihui.org (yihui.org)... 167.99.129.42, 134.209.226.211
Connecting to yihui.org (yihui.org)|167.99.129.42|:443... connected.
ERROR: cannot verify yihui.org's certificate, issued by 'CN=SSL-SG1-GROBU,OU=Operations,O=Cloud Services,C=US':
Unable to locally verify the issuer's authority.
To connect to yihui.org insecurely, use `--no-check-certificate'.
Error in download.file(url, output, ..., method = method) :
'wget' call had nonzero exit status
Calls: <Anonymous> ... download_file -> <Anonymous> -> download -> download.file
In addition: Warning messages:
1: In download.file(url, output, ..., method = method) :
URL 'https://yihui.org/tinytex/TinyTeX-1.tar.gz': status was 'SSL peer certificate or SSH remote key was not OK'
2: In download.file(url, output, ..., method = method) :
URL 'https://yihui.org/tinytex/TinyTeX-1.tar.gz': status was 'SSL peer certificate or SSH remote key was not OK'
You may have to restart your system after installing TinyTeX to make sure ~/bin appears in your PATH variable (https://github.com/yihui/tinytex/issues/16).
Execution halted
I need to find a way to verify and trust the certificate chain from yihui.org, as I'm not allowed to bypass the verification with --no-check-certificate.
Thanks in advance for any hint!
Mihai
The default docker image has no certificates installed, therefore there are also no root certificates. That is what is indicated by the error message Unable to locally verify the issuer's authority. You can obtain the root certificates from the package ca-certificates (install it via apt-get).
I'm trying to stream videos from YouTube in a GUI app using PyQt5, python-vlc and pafy modules, but vlc gave me some connection errors:
[0000025466dc7340] main tls client error: connection error: Interrupted function call
[0000025466df9f00] access stream error: HTTP connection failure
[0000025466dc7430] gnutls tls client error: TLS handshake error: Error in the push function.
[0000025466dc7430] main tls client error: TLS session handshake error
[0000025466dc7430] main tls client error: connection error: Interrupted function call
[0000025466dfa080] access stream error: HTTP connection failure
When I make the same thing with tkinter module it works without problems. How can I solve these errors?
def OnYT(self):
text = self.textbox.text()
url = self.Search(text) #this function returns the first result url from a search on YouTube
self.textbox.setText("")
video = pafy.new(url)
best = video.getbest()
self.mediaplayer.set_mrl(best.url)
if sys.platform.startswith('linux'):
self.mediaplayer.set_xwindow(self.videoframe.winId())
elif sys.platform == "win32":
self.mediaplayer.set_hwnd(self.videoframe.winId())
elif sys.platform == "darwin":
self.mediaplayer.set_nsobject(int(self.videoframe.winId()))
self.mediaplayer.play()
there is a work around for this , you can configure VLC to connect to URL using http using the parameter vlc.Instance("prefer-insecure")
or you can try to update and feed VLC with certificates:
sudo update-ca-certificates --fresh --verbose
mkdir -p ~/.local/share/vlc/certs/
cat /usr/share/ca-certificates/mozilla/* | tee ~/.local/share/vlc/certs/ca-certifcates.crt
you can find more info here
GNUtls options:
--gnutls-system-trust, --no-gnutls-system-trust
Use system trust database
(default enabled)
Trust the root certificates of Certificate Authorities stored in the
operating system trust database to authenticate TLS sessions.
--gnutls-dir-trust <string>
Trust directory
Trust directory
--gnutls-priorities {PERFORMANCE,NORMAL,SECURE128,SECURE256,EXPORT}
TLS cipher priorities
Ciphers, key exchange methods, hash functions and compression methods
can be selected. Refer to GNU TLS documentation for detailed syntax.
you could use --gnutls-dir-trus to point to firefox certs I think
In the course of a project, I've been running into a wall sending https requests to (usually older) sites. While the sites navigate in the browser just fine, they throw 502 errors when the request is made from Node. More specifically, they claim SSL Bad handshake. But cURL requests go through just fine.
I think I've narrowed down the issue to the use of OpenSSL in Node. For instance, an analysis of the site by SSL Labs tells me that, in a handshake simulation:
OpenSSL 0.9.8y RSA 2048 (SHA256) TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA
OpenSSL 1.0.1l R Server closed connection
OpenSSL 1.0.2e R Server closed connection
So connections with later versions of OpenSSL tend to get killed before the request goes through.
Now, I could, I think, cook it up so that the script just makes cURL requests, but I would rather have a solution that doesn't have any extra dependencies. Is there a possible solution here?
EDIT: If possible, I would be interested in hypotheses as to why later versions of OpenSSL fail while all other sorts of handshake simulations succeed.
I've tried to play around with the cipher suite, but so far it hasn't helped. Here is my code (node version in 4.6.2, in case it matters):
var https = require('https');
var options = {
hostname: 'thewebsite.net',
port: 443,
agent: false,
servername: 'thewebsite.net',
path: '/',
ciphers: 'ALL',
method: 'GET'
};
https.request(options, (res) => {
console.log(res);
});
I've played around with secureProtocol, agent, and serverName options, but thus far nothing seems to work. Depending on which options are used, either I receive a 502 error that cites an SSL handshake problem, or:
Caught exception: Error: socket hang up
at TLSSocket.onHangUp (_tls_wrap.js:1054:19)
at TLSSocket.g (events.js:260:16)
at emitNone (events.js:72:20)
at TLSSocket.emit (events.js:166:7)
at endReadableNT (_stream_readable.js:923:12)
at nextTickCallbackWith2Args (node.js:458:9)
at process._tickDomainCallback (node.js:413:17)
You can manually specify what ciphers to use for a request by setting the ciphers option. The format of the ciphers list follows the OpenSSL cipher list format.
FWIW the default cipher list used by node currently (as of node v7.2.0) is (minus the line breaks):
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256:
ECDHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA256:
ECDHE-RSA-AES256-SHA384:
DHE-RSA-AES256-SHA384:
ECDHE-RSA-AES256-SHA256:
DHE-RSA-AES256-SHA256:
HIGH:
!aNULL:
!eNULL:
!EXPORT:
!DES:
!RC4:
!MD5:
!PSK:
!SRP:
!CAMELLIA
I am getting following error in my server log :
[crit] 915#0: *46701 SSL_do_handshake() failed (SSL:
error:140A1175:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate
fallback) while SSL handshaking, client: 187.50.199.66, server:
0.0.0.0:443
What does it mean ? How can I solve it ?
Please help me.
It looks, as it's connected with security bug in OpenSSL. It's nothing to do with YOUR nginx configuration. It's just indicating that your server has client which inproperly handles SSL handshakes.
What is SSL handshake?
Basically it's exchanging some messages between client and server at the beggining of each session. It consists of 6 phases:
Client Hello
Server Hello
Authentication and Pre-Master Secret
Decryption and Master Secret
Generate Session Keys
Encryption with Session Key
Read more at http://www.symantec.com/connect/blogs/how-does-ssl-work-what-ssl-handshake
To sum up - your server is raising this warning to indicate that some client is (un)intentionally breaking this procedure (for example, prematurely ending connection, or trying to open it several times in one session.
How to solve it?
If you really want to get rid of this message (it's not recommended) you can change level of error logging 9in your nginx.conf file), to something like:
error_log logs/error.log alert;
*available levels are: debug | info | notice | warn | error | crit | alert | emerg
http://nginx.org/en/docs/ngx_core_module.html#error_log