我正在为Hashicorp服务器使用以下config.hcl,
disable_mlock = true
storage "file" {
path = "/etc/secrets"
}
listener "tcp" {
address = "10.xx.xx.xx:8200"
tls_cert_file = "/etc/certs/selfsigned.crt"
tls_key_file = "/etc/certs/selfsigned.key"
}
我执行保管库操作时工作正常,但是当我尝试使用hvac python库达到它时,出现SSL错误。我用来从python连接到hashicorp服务器的代码是,
import hvac
client = hvac.Client(url='https://10.xx.xx.xx:8200', cert=('/etc/certs/selfsigned.crt', '/etc/certs/selfsigned.key'))
client.token = 'd460cb82-08aa-4b97-8655-19b6593b262d'
client.is_authenticated()
我得到的完整错误跟踪如下:-
回溯(最近一次通话):文件“”,第1行,在文件“ /usr/local/lib/python2.7/dist-packages/hvac/v1/init.py”,行552,在is_authenticated中self.lookup_token()文件“ /usr/local/lib/python2.7/dist-packages/hvac/v1/init.py”,行460,在lookup_token中返回self._get('/ v1 / auth / token / lookup-self',wrap_ttl = wrap_ttl).json()文件“ /usr/local/lib/python2.7/dist-packages/hvac/v1/init.py”,行1236,在_get中返回自身。request('get',url,** kwargs)File“ /usr/local/lib/python2.7/dist-packages/hvac/v1/__init.py”,行1264年,____请求allow_redirects = False,** _ kwargs)文件“ /usr/local/lib/python2.7/dist-packages/requests/sessions.py”,行512(应要求)resp = self.send(prep,** send_kwargs)文件“ /usr/local/lib/python2.7/dist-packages/requests/sessions.py”,行622,在发送r = adapter.send(request,** kwargs)文件“ /usr/local/lib/python2.7/dist-packages/requests/adapters.py”,行511,发送中引发SSLError(e,request = request)request.exceptions.SSLError:HTTPSConnectionPool(host = '10 .xx.xx.xx',port = 8200):最多重试超出网址:/ v1 / auth / token / lookup-self(由SSLError(SSLError(“握手不好:Error([('SSL例程','tls_process_server_certificate','证书验证失败')],)“,),))
根据hvac文档Using TLS with client-side certificate authentication,您需要指定verify=server_cert_path参数。
测试如下,我可以得到预期的结果。 btw无论是否带有token参数,它都可以成功运行。
import hvac
client = hvac.Client(url='https://127.0.0.1:8200',
token='xxxxxxxx',
cert=('server.crt',
'server.key'),
verify='ca.crt')
res = client.is_authenticated()
print("res:", res)