Keystone Wirecloud Authentication failed: [SSL: CE

2019-07-25 14:22发布

问题:

When trying to authenticate in Wirecloud via KeyStone we get the following error displayed in the browser:

Environment:


Request Method: GET
Request URL: https://<ServerURL>/complete/fiware/?state=SDyJk9ru8wSLwUZIRtSrwI86jznMIv8O&code=WzIZ11YpmGAuZoltvTTGMGoP45ZtHe

Django Version: 1.6.11
Python Version: 2.7.9
Installed Applications:
('django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'django.contrib.admin',
 'wirecloud.commons',
 'wirecloud.defaulttheme',
 'compressor',
 'south',
 'wirecloud.catalogue',
 'wirecloud.platform',
 'wirecloud.fiware',
 'social.apps.django_app.default')
Installed Middleware:
('wirecloud.commons.middleware.URLMiddleware',)


Traceback:
File "/usr/local/venv/lib/python2.7/site-packages/django/core/handlers/base.py" in get_response
  112.                     response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/usr/local/venv/lib/python2.7/site-packages/django/views/decorators/cache.py" in _wrapped_view_func
  52.         response = view_func(request, *args, **kwargs)
File "/usr/local/venv/lib/python2.7/site-packages/django/views/decorators/csrf.py" in wrapped_view
  57.         return view_func(*args, **kwargs)
File "/usr/local/venv/lib/python2.7/site-packages/social/apps/django_app/utils.py" in wrapper
  51.             return func(request, backend, *args, **kwargs)
File "/usr/local/venv/lib/python2.7/site-packages/social/apps/django_app/views.py" in complete
  28.                        redirect_name=REDIRECT_FIELD_NAME, *args, **kwargs)
File "/usr/local/venv/lib/python2.7/site-packages/social/actions.py" in do_complete
  43.         user = backend.complete(user=user, *args, **kwargs)
File "/usr/local/venv/lib/python2.7/site-packages/social/backends/base.py" in complete
  41.         return self.auth_complete(*args, **kwargs)
File "/usr/local/venv/lib/python2.7/site-packages/social/utils.py" in wrapper
  229.             return func(*args, **kwargs)
File "/usr/local/venv/lib/python2.7/site-packages/social/backends/oauth.py" in auth_complete
  383.             method=self.ACCESS_TOKEN_METHOD
File "/usr/local/venv/lib/python2.7/site-packages/social/backends/oauth.py" in request_access_token
  361.         return self.get_json(*args, **kwargs)
File "/usr/local/venv/lib/python2.7/site-packages/social/backends/base.py" in get_json
  229.         return self.request(url, *args, **kwargs).json()
File "/usr/local/venv/lib/python2.7/site-packages/social/backends/base.py" in request
  224.             raise AuthFailed(self, str(err))

Exception Type: AuthFailed at /complete/fiware/
Exception Value: Authentication failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

The Wirecloud log shows the following:

[Fri Mar 04 08:09:51.933675 2016] [ssl:info] [pid 29119:tid 140090189723392] [client 172.30.20.99:63539] AH01964: Connection to child 20 established (server <ServerURL>:443)
[Fri Mar 04 08:10:04.388865 2016] [ssl:info] [pid 29120:tid 140090223294208] [client 172.30.20.99:63557] AH01964: Connection to child 80 established (server <ServerURL>:443)
[Fri Mar 04 08:10:04.443926 2016] [wsgi:error] [pid 29117:tid 140090323621632] Internal Server Error: /complete/fiware/
[Fri Mar 04 08:10:04.443940 2016] [wsgi:error] [pid 29117:tid 140090323621632] Traceback (most recent call last):
[Fri Mar 04 08:10:04.443942 2016] [wsgi:error] [pid 29117:tid 140090323621632]   File "/usr/local/venv/lib/python2.7/site-packages/django/core/handlers/base.py", line 112, in get_response
[Fri Mar 04 08:10:04.443945 2016] [wsgi:error] [pid 29117:tid 140090323621632]     response = wrapped_callback(request, *callback_args, **callback_kwargs)
[Fri Mar 04 08:10:04.443947 2016] [wsgi:error] [pid 29117:tid 140090323621632]   File "/usr/local/venv/lib/python2.7/site-packages/django/views/decorators/cache.py", line 52, in _wrapped_view_func
[Fri Mar 04 08:10:04.443950 2016] [wsgi:error] [pid 29117:tid 140090323621632]     response = view_func(request, *args, **kwargs)
[Fri Mar 04 08:10:04.443952 2016] [wsgi:error] [pid 29117:tid 140090323621632]   File "/usr/local/venv/lib/python2.7/site-packages/django/views/decorators/csrf.py", line 57, in wrapped_view
[Fri Mar 04 08:10:04.443954 2016] [wsgi:error] [pid 29117:tid 140090323621632]     return view_func(*args, **kwargs)
[Fri Mar 04 08:10:04.443956 2016] [wsgi:error] [pid 29117:tid 140090323621632]   File "/usr/local/venv/lib/python2.7/site-packages/social/apps/django_app/utils.py", line 51, in wrapper
[Fri Mar 04 08:10:04.443958 2016] [wsgi:error] [pid 29117:tid 140090323621632]     return func(request, backend, *args, **kwargs)
[Fri Mar 04 08:10:04.443960 2016] [wsgi:error] [pid 29117:tid 140090323621632]   File "/usr/local/venv/lib/python2.7/site-packages/social/apps/django_app/views.py", line 28, in complete
[Fri Mar 04 08:10:04.443962 2016] [wsgi:error] [pid 29117:tid 140090323621632]     redirect_name=REDIRECT_FIELD_NAME, *args, **kwargs)
[Fri Mar 04 08:10:04.443964 2016] [wsgi:error] [pid 29117:tid 140090323621632]   File "/usr/local/venv/lib/python2.7/site-packages/social/actions.py", line 43, in do_complete
[Fri Mar 04 08:10:04.443966 2016] [wsgi:error] [pid 29117:tid 140090323621632]     user = backend.complete(user=user, *args, **kwargs)
[Fri Mar 04 08:10:04.443968 2016] [wsgi:error] [pid 29117:tid 140090323621632]   File "/usr/local/venv/lib/python2.7/site-packages/social/backends/base.py", line 41, in complete
[Fri Mar 04 08:10:04.443971 2016] [wsgi:error] [pid 29117:tid 140090323621632]     return self.auth_complete(*args, **kwargs)
[Fri Mar 04 08:10:04.443973 2016] [wsgi:error] [pid 29117:tid 140090323621632]   File "/usr/local/venv/lib/python2.7/site-packages/social/utils.py", line 229, in wrapper
[Fri Mar 04 08:10:04.443975 2016] [wsgi:error] [pid 29117:tid 140090323621632]     return func(*args, **kwargs)
[Fri Mar 04 08:10:04.443977 2016] [wsgi:error] [pid 29117:tid 140090323621632]   File "/usr/local/venv/lib/python2.7/site-packages/social/backends/oauth.py", line 383, in auth_complete
[Fri Mar 04 08:10:04.443979 2016] [wsgi:error] [pid 29117:tid 140090323621632]     method=self.ACCESS_TOKEN_METHOD
[Fri Mar 04 08:10:04.443981 2016] [wsgi:error] [pid 29117:tid 140090323621632]   File "/usr/local/venv/lib/python2.7/site-packages/social/backends/oauth.py", line 361, in request_access_token
[Fri Mar 04 08:10:04.443983 2016] [wsgi:error] [pid 29117:tid 140090323621632]     return self.get_json(*args, **kwargs)
[Fri Mar 04 08:10:04.443985 2016] [wsgi:error] [pid 29117:tid 140090323621632]   File "/usr/local/venv/lib/python2.7/site-packages/social/backends/base.py", line 229, in get_json    
[Fri Mar 04 08:10:04.443987 2016] [wsgi:error] [pid 29117:tid 140090323621632]     return self.request(url, *args, **kwargs).json()
[Fri Mar 04 08:10:04.443995 2016] [wsgi:error] [pid 29117:tid 140090323621632]   File "/usr/local/venv/lib/python2.7/site-packages/social/backends/base.py", line 224, in request
[Fri Mar 04 08:10:04.443997 2016] [wsgi:error] [pid 29117:tid 140090323621632]     raise AuthFailed(self, str(err))
[Fri Mar 04 08:10:04.443999 2016] [wsgi:error] [pid 29117:tid 140090323621632] AuthFailed: Authentication failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

And the Horizon log displays this:

[Fri Mar 04 08:10:01.939771 2016] [ssl:info] [pid 29120:tid 140090282043136] [client 172.30.20.99:63555] AH01964: Connection to child 73 established (<ServerURL>:443)
[Fri Mar 04 07:10:02.175214 2016] [wsgi:error] [pid 29118:tid 140090390763264] No regions could be found excluding identity.
[Fri Mar 04 07:10:02.175651 2016] [wsgi:error] [pid 29118:tid 140090390763264] Login successful for user "<UserEmail>".
[Fri Mar 04 07:10:02.313486 2016] [wsgi:error] [pid 29118:tid 140090415941376] DEBUG:idm_logger:Requesting authorization for application: 904fd95c253c4938a824d1a443ce0fdd with redirect_uri: https://<ServerURL>/complete/fiware/         and scope: ['all_info'] by user <UserName>
[Fri Mar 04 07:10:02.346101 2016] [wsgi:error] [pid 29118:tid 140090415941376] DEBUG:idm_logger:OAUTH2: Application 904fd95c253c4938a824d1a443ce0fdd NOT alreadyauthorized
[Fri Mar 04 07:10:04.250695 2016] [wsgi:error] [pid 29118:tid 140090390763264] DEBUG:idm_logger:Authorizing application: 904fd95c253c4938a824d1a443ce0fdd by user: <UserName>
[Fri Mar 04 07:10:04.274461 2016] [wsgi:error] [pid 29118:tid 140090390763264] DEBUG:idm_logger:OAUTH2: Authorization Code obtained WzIZ11YpmGAuZoltvTTGMGoP45ZtHe
[Fri Mar 04 07:10:04.274541 2016] [wsgi:error] [pid 29118:tid 140090390763264] DEBUG:idm_logger:OAUTH2: Redirecting user back to https://<ServerURL>/complete/fiware/?state=SDyJk9ru8wSLwUZIRtSrwI86jznMIv8O&code=WzIZ11YpmGAuZoltvTTGMGoP45ZtHe
[Fri Mar 04 08:10:04.441087 2016] [ssl:info] [pid 29120:tid 140090189723392] [client 192.168.149.9:53270] AH01964: Connection to child 84 established (server <ServerURL>:443)
[Fri Mar 04 08:10:04.442137 2016] [ssl:info] [pid 29120:tid 140090189723392] [client 192.168.149.9:53270] AH02008: SSL library error 1 in handshake (server <ServerURL>:443)
[Fri Mar 04 08:10:04.442165 2016] [ssl:info] [pid 29120:tid 140090189723392] SSL Library Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (SSL alert number 48)
[Fri Mar 04 08:10:04.442174 2016] [ssl:info] [pid 29120:tid 140090189723392] [client 192.168.149.9:53270] AH01998: Connection closed to child 84 with abortive shutdown (server <ServerURL>:443)

Horizon and Wirecloud run on the same apache, Wirecloud under port 443 and Horizon under port 40443. Both use the same cert files for ssl and work, called by themself, fine. Those cert files are currently self signed ones.

Since I am pretty new to ssl usage in apache any halp would be much appreciated.

回答1:

As you are using self-signed certificates, the best option is including your cert into the list of trusted certificates. requests (the module used for making this request) usually uses a bundle by default (it depends on the installation method). You can edit that bundle for adding your cert (see this link for more details) although you will have to update this bundle every time you upgrade the requests module.

Another option, is to configure requests for using the trusted certs repository from the OS. This can be configured using the REQUESTS_CA_BUNDLE environment var (e.g. by editing your wgsi.py file adding something similar to this: os.environ['REQUESTS_CA_BUNDLE'] = "/etc/ssl/certs/ca-certificates.crt"). The operation of adding your cert into the trusted repository depends on your OS, but there is a lot of information about this matter on google (e.g. here you can find how to do it using Debian/Ubuntu).