Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trying to connect with missing certificate_chain crashed python interpreter #87

Open
miott opened this issue Aug 12, 2020 · 5 comments
Open

Trying to connect with missing certificate_chain crashed python interpreter #87

miott opened this issue Aug 12, 2020 · 5 comments
Labels
bug Something isn't working

Comments

@miott
Copy link
Collaborator

miott commented Aug 12, 2020

Connection code did not find the certificate chain file and assigned python None to Client class which led to this error in grpc/_channel.py.

(Pdb) n
> /Users/miott/ysuite/install/yangsuite/venv/lib/python3.7/site-packages/grpc/_channel.py(1352)__init__()
-> _common.encode(target), _augment_options(core_options, compression),
(Pdb) n
> /Users/miott/ysuite/install/yangsuite/venv/lib/python3.7/site-packages/grpc/_channel.py(1353)__init__()
-> credentials)
(Pdb) n
E0812 17:49:57.641734000 123145481629696 ssl_credentials.cc:101]       assertion failed: pem_key_cert_pair->cert_chain != nullptr
Abort trap: 6
@miott miott added the bug Something isn't working label Aug 12, 2020
@remingtonc
Copy link
Contributor

Interesting - is this happening in ClientBuilder.construct? grpc.ssl_channel_credentials expects None to any of those args, uncertain the conditions which cause this.

@miott
Copy link
Collaborator Author

miott commented Aug 12, 2020

Yes, construct, but, really the crash happens initializing the "grpc._channel.Channel" class.

Here are the 3 parameters (certificate chain is None).

(Pdb) pp channel_creds._credentials._channel_credentials._certificate_chain
None
(Pdb) pp channel_creds._credentials._channel_credentials._pem_root_certificates
(b'-----BEGIN CERTIFICATE-----\nMIICnjCCAYYCCQDnpKTY6UDltDANBgkqhkiG9w0BAQsF'
 b'ADARMQ8wDQYDVQQDDAZy\nb290Q0EwHhcNMjAwMjEwMTU0MzQwWhcNNDcwNjI3MTU0MzQwWjA'
 b'RMQ8wDQYDVQQD\nDAZyb290Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGgC'
 b'aEVfyd\nQMcBxXbtAEOSEJXchEfM5GAL1b8aTVLKInZkHuenbNgFWJNElYaXsdpSgnkMft9P\n'
 b'IaGyEeaXvq78ZC7MXy1OKT58xG0LwBYsNeztEBxpge5djsEItb98TVEbrhPceuyi\nDLuse7O'
 b'mfe5vSPtTSzbgmB+7hRzJjgcsWt/LTp0r3m3jf8/tQ+OEJlF7TyN7Teo1\nGTsgoLcaIXAhs4'
 b'EV4B50PjvMxpkO7CDnNSCoD5K9VTme72wcXPv0BykK3LSUVWta\nWSxp6tCdxHvabocdiBfTN'
 b'PkWctRc37uBSa2D/7AgUBfE48opk0922O74YHm8PMw2\n5yjBOdhonFvpAgMBAAEwDQYJKoZI'
 b'hvcNAQELBQADggEBAJ0pgvK21GTq0RkgYe/c\n/db4YDM1StsNW/q+67eCMliZrNJfGjlacs8'
 b'uaY6+PwPCxY+CehJY0T2NpNlQuAhr\n+Fy6WUR+8FEFOSihPqN11EQPgyKsFt1F6FET1mTgBm'
 b'w2+3dnHSlJ3wAnW4IrH8Jw\nTqi3+KRzrDOqj3uX3CZZqFcwdweTiF2yu7TurNDSXky4RTIuo'
 b'pLehkN7oTo0TeWD\n5anQLPaNG6ifLwt1lISbLFaeKISnD5hha/ifvprmp0hOmKBT61L3TpYz'
 b'5nJ8jQwx\nLuteBmVTq6SaiQvcE2kzCFB2KBciCAstt2bF3u5V0DDEOQv1iQla2ULYF7EzKz5'
 b'F\nalU=\n-----END CERTIFICATE-----\n')
(Pdb) pp channel_creds._credentials._channel_credentials._private_key
(b'-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEA34Qlyxw+reu4//nIYa6+dDUM'
 b'A1wyyANb5FEAPXdiGN+nraQm\n8Y/mo2R4LiRDp6i2MIR+Kzfptctc1SKJ3QFUrje8VjuqRzW'
 b'gcERBU7Ujfjonpwmj\nlshYkST304cEPX4S/ys4eFT2aunBZvR+CJxhxBQNO7ROx3QvKFYHhL'
 b'YU8AQDW5XN\nIpCKVFQbtuZK4KdoL8MKaJ8bJ5SMnCGHmrXAhv1/xJb5c4QYwLG0hpzpM+WU8'
 b'Rm9\no2mi5w0Y0w/ziOd4tu58OOpF9PVp6CyqPFdQHZcPe1lQty6FdG4y0cn162BuCRfI\nHu6'
 b'Ab6gtcV3GwP38uJHyRU/6lxce3JYpZaOtXwIDAQABAoIBAQChQcPKf7ww2ioE\nc39ACkRZrp'
 b'PWMMRqTRIU7OORdPoPG/zrZ8y45qrtIuUZ1QwCf9PBuTUVlSdGA0wc\ncOipy/X+IzP7utwkt'
 b'+niVTwUWlEbFnXZKzkc5boQLW2m7HgArV6jPdll51ZI2BCy\naJ4tNDXMsvLBKlrTx1zmavrN'
 b'olgEuGcANJBoUHwdCil3s8Z6X/MDcJIC8knkkxYn\nQCb7PY9tKUQF4ks8OJHmOLxcvNSwUZB'
 b'H3iXUicbmotne4MSTaiJc4LqsS13EzrD8\nAODW8xVsjd6OhV0HKQpJIvXiZhGSkZv/pdtWcA'
 b'7X9CdNN4IuPsniSdqKFdFgf5OY\n2YFde9DBAoGBAPnG5kPVetqyMn2e/YDkJBLCv3D2auIlv'
 b'UaX0eajUhxwHpUi69Sv\nfK/UVHv/WD+iUk+O8J5KOIa15x6X0TwbTwalVRGCXA+KUShU4EzG'
 b'ZFmpEodNEviP\nlMQo7mzDhyw9oGMzNxJH9xkm0e2D1lbaK2j4SNkgH5SW92jNq0IEuTIvAoG'
 b'BAOUV\nwTHNB/mFDg7q8/EInfx+VNE0ll51c/tRq1MRgUZ+UuraSjBOaMUBfMW3EfoCKMoq\n2'
 b'HjrU5dw/tF+2wftYWef3DBPBcr+1whleONNwOkjS72TH1TIvcYtfHcj17bdq92Q\nnljXeogK'
 b'hgN0CcCWU/fKh+Zevcp9FM5jT2G0VVvRAoGBAJ1Q/eSJh5hIle5y/d15\nU5MRX7xJJ6aJ+H2'
 b'Gz6hBA01v/IMX/Ir3gEPKKu/yMmXZ2ZfMQpafzpxh41BsdFc0\nKADajwq5HTyYdGc/lgolBj'
 b'1GdKoNDD7LR/qIgSq1t+RQaD0ym6QC+Ym43o2G9K+9\nN4wknNVMGzfeIbO7nfq1uOL3AoGAA'
 b'aZeddVcMVfb+g+HIj1FpgPi6H7Qdm2yICU+\nbqK5o6BVSIu57Q8jgge4tlPTNVG+qXYViQlo'
 b'2LZfn3KicTQsd2qXU2G+UO/07IKO\nlFSDByrR6NOebiXj+AFr3A/OBesiyb245jrnDwPEY1H'
 b'6oAB1KluzDt2v0D2GYNYm\nRDXgR4ECgYEA1/3DArVA8N5hXZSNqwQw7P5gVgdpy/hbtvA61a'
 b'oqcBALXKdbWHB0\nv0qZkZlWabYzKLna0IKuOch0ONauLVqm2aG4fx0ZRdJsAdNkChcQcNTT7'
 b'9bg2DMj\ni1xPX8YSzZ4M1TglrUl28Xz+Sfghk1Zdp4tc3QXzxQ8SO8aWaJ2tDpw=\n-----EN'
 b'D RSA PRIVATE KEY-----\n')
(Pdb)

@miott
Copy link
Collaborator Author

miott commented Aug 12, 2020

Further testing, if either the private key or the client certificate are None, they both have to be None or you get a crash.

@remingtonc
Copy link
Contributor

remingtonc commented Aug 13, 2020
edited
Loading

I'm inclined to say that makes sense, but I don't FULLY understand certificates enough to know situations wherein the client key/cert paired wouldn't be necessary. We can add an exception for that condition - in general I usually have a rootCA.pem for CA, client.key for client key, and client.crt for client certificate, and sometimes only the CA. Do you have a use case otherwise?

@miott
Copy link
Collaborator Author

miott commented Aug 13, 2020

NXOS at first only provided the rootCA.pem and host override name. That also connects successfully for XE. From my limited investigation of TLS, I think that works because the actual root authority is the Cisco device itself. If it was a 3rd party, not so sure that would end in a successful connection.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@miott @remingtonc