Connect to esxi host with self Signed certificate.

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Connect to esxi host with self Signed certificate.

Alexey Vasiliev
I faced with the problem on Gentoo linux, Python 2.7.9

I have the error message when try to run pyvmomi-community-samples/samples/vminfo_quick.py (and similar errors in other examples)

Traceback (most recent call last):
  File "/data/docs/proj/pyvmomi-community-samples/samples/vminfo_quick.py", line 55, in <module>
    protocol='https',
  File "/usr/lib64/python2.7/site-packages/pyVim/connect.py", line 590, in SmartConnect
    path=path)
  File "/usr/lib64/python2.7/site-packages/pyVim/connect.py", line 234, in Connect
    keyFile, certFile)
  File "/usr/lib64/python2.7/site-packages/pyVim/connect.py", line 319, in __Login
    reraise(vim.fault.HostConnectFault, fault, traceback)
  File "/usr/lib64/python2.7/site-packages/pyVim/connect.py", line 307, in __Login
    content = si.RetrieveContent()
  File "/usr/lib64/python2.7/site-packages/pyVmomi/VmomiSupport.py", line 566, in <lambda>
    self.f(*(self.args + (obj,) + args), **kwargs)
  File "/usr/lib64/python2.7/site-packages/pyVmomi/VmomiSupport.py", line 375, in _InvokeMethod
    return self._stub.InvokeMethod(self, info, args)
  File "/usr/lib64/python2.7/site-packages/pyVmomi/SoapAdapter.py", line 1254, in InvokeMethod
    conn.request('POST', self.path, req, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1001, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1035, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib64/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
pyVmomi.VmomiSupport.HostConnectFault: (vim.fault.HostConnectFault) {
   dynamicType = <unset>,
   dynamicProperty = (vmodl.DynamicProperty) [],
   msg = '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)',
   faultCause = <unset>,
   faultMessage = (vmodl.LocalizableMessage) []
}

As I understood the error happened because ESXi host has SelfSigned certificate but pyvmomi checked it through system-wide openssl.

I have added ca signed certificate to one of my esx host and add CA certificates to openssl. This host is connected OK.
But most of my ESX host has selfSigned certificates.

Is there a way to tell pyvmomi do not check these certificates?


Thank you in advance.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Connect to esxi host with self Signed certificate.

hartsock
Administrator
Hi ya,

Well, it's come up in IRC just now that there's a behavior change in Python as of version 2.7.9... that bumps up against VMware vSphere default behaviors rather directly.

(*tsk, tsk* I should have been paying closer attention)

I've opened this issue here: https://github.com/vmware/pyvmomi/issues/212

Unofficially, I hope to ship the next version of pyVmomi in early Q2 of 2015. I am waiting on the vSphere 6.0 SDK to go live so we can incorporate these API into the next release. I'll try and blog on this more later.

If there is a work-around my guess is it will be found by modifying:

NOTE: do the following *very carefully* and with great deliberation... the *correct* thing to do in production is to set up signed certificates on vCenter.

As a work around, you should be able to observe in 2.7.8 (or so) is set differently than in 2.7.9 ... and what you'll want to do is *globally* set ssl.SSLContext.verify_mode = CERT_NONE

On Tue, Feb 10, 2015 at 7:59 AM, Alexey Vasiliev [via pyvmomi] <[hidden email]> wrote:
I faced with the problem on Gentoo linux, Python 2.7.9

I have the error message when try to run pyvmomi-community-samples/samples/vminfo_quick.py (and similar errors in other examples)

Traceback (most recent call last):
  File "/data/docs/proj/pyvmomi-community-samples/samples/vminfo_quick.py", line 55, in <module>
    protocol='https',
  File "/usr/lib64/python2.7/site-packages/pyVim/connect.py", line 590, in SmartConnect
    path=path)
  File "/usr/lib64/python2.7/site-packages/pyVim/connect.py", line 234, in Connect
    keyFile, certFile)
  File "/usr/lib64/python2.7/site-packages/pyVim/connect.py", line 319, in __Login
    reraise(vim.fault.HostConnectFault, fault, traceback)
  File "/usr/lib64/python2.7/site-packages/pyVim/connect.py", line 307, in __Login
    content = si.RetrieveContent()
  File "/usr/lib64/python2.7/site-packages/pyVmomi/VmomiSupport.py", line 566, in <lambda>
    self.f(*(self.args + (obj,) + args), **kwargs)
  File "/usr/lib64/python2.7/site-packages/pyVmomi/VmomiSupport.py", line 375, in _InvokeMethod
    return self._stub.InvokeMethod(self, info, args)
  File "/usr/lib64/python2.7/site-packages/pyVmomi/SoapAdapter.py", line 1254, in InvokeMethod
    conn.request('POST', self.path, req, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1001, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1035, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib64/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
pyVmomi.VmomiSupport.HostConnectFault: (vim.fault.HostConnectFault) {
   dynamicType = <unset>,
   dynamicProperty = (vmodl.DynamicProperty) [],
   msg = '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)',
   faultCause = <unset>,
   faultMessage = (vmodl.LocalizableMessage) []
}

As I understood the error happened because ESXi host has SelfSigned certificate but pyvmomi checked it through system-wide openssl.

I have added ca signed certificate to one of my esx host and add CA certificates to openssl. This host is connected OK.
But most of my ESX host has selfSigned certificates.

Is there a way to tell pyvmomi do not check these certificates?


Thank you in advance.


If you reply to this email, your message will be added to the discussion below:
http://pyvmomi.2338814.n4.nabble.com/Connect-to-esxi-host-with-self-Signed-certificate-tp21.html
To start a new topic under pyvmomi, email [hidden email]
To unsubscribe from pyvmomi, click here.
NAML



--
# Shawn.Hartsock - twitter: @hartsock
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SSL-verify-failed

Prashasthi
Has this issue been resolved ?

I have recently started working with Pyvmomi.

I am trying to convert a vm to a template. This is my code - http://pastebin.com/cThuTh5M
I get the following error - http://pastebin.com/zjr8LsMA

Can you elaborate more on - *globally* set ssl.SSLContext.verify_mode = CERT_NONE ?

Thanks in advance!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL-verify-failed

hartsock
Administrator
No, I've not had time to resolve it myself and no one has yet sent a pull request on the topic. I am going to have some time toward the end of the month to work on this, we'll be able to put it into a release candidate by next month I suspect. I can't reliably predict schedule at this time.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL-verify-failed

errr
In reply to this post by Prashasthi
If you just have a couple of scripts you could do something terrible like this to the scripts as a workaround until there is a patch upstream:

https://gist.github.com/michaelrice/a6794a017e349fc65d01

This is for the samples/hello_world_vcenter.py script from the community-samples project.

-mike
Let me be useful today, and should I need to make a decision today that will forever change my life, let me make it with a clear head.

Twitter: @virtdevninja
Freenode IRC: errr
Blog: http://www.errr-online.com/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL-verify-failed

Blair
Thanks Mike!!

Worked great - exactly what I needed for my lab.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL-verify-failed

Csaba
In reply to this post by errr
You saved me from a lot of trouble :)
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL-verify-failed

Ramiro Algozino <algozino@gmail.com>
Hello!

You can do something like this with pyvmomi 6.0 (there was a similar workaround for previous versions):

import ssl
# Disabling SSL certificate verification
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
context.verify_mode = ssl.CERT_NONE

service_instance = connect.SmartConnect(host=self.ip,
                                                user=self.user,
                                                pwd=self.password,
                                                port=int(self.port),
                                                sslContext=context,
                                                )

Cheers!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL-verify-failed

Alex Ma
Thank you so much Ramiro, this solved my problem!
Loading...