我正在为我的Hashicorp服务器使用以下config.hcl,
disable_mlock = true
storage "file" {
path = "/etc/secrets"
}
listener "tcp" {
address = "10.xx.xx.xx:8200"
tls_cert_file = "/etc/certs/selfsigned.crt"
tls_key_file = "/etc/certs/selfsigned.key"
}
当我执行保险库操作时它工作正常, 但是当我尝试使用 hvac python 库访问它时,我遇到了 SSL 错误。 我用来从python连接到hashicorp服务器的代码是,
import hvac
client = hvac.Client(url='https://10.xx.xx.xx:8200', cert=('/etc/certs/selfsigned.crt', '/etc/certs/selfsigned.key'))
client.token = 'd460cb82-08aa-4b97-8655-19b6593b262d'
client.is_authenticated()
我得到的完整错误跟踪如下:-
回溯(最近一次调用(:文件 ",第 1 行 在 文件 "/usr/local/lib/python2.7/dist-packages/hvac/v1/init.py", line 552,在is_authenticated self.lookup_token(( 文件 "/usr/local/lib/python2.7/dist-packages/hvac/v1/init.py", line 460,在lookup_token 返回 self._get('/v1/auth/token/lookup-self', wrap_ttl=wrap_ttl(.json(( 文件 "/usr/local/lib/python2.7/dist-packages/hvac/v1/init.py", line 1236年,_get 回归自我。request('get', url, **kwargs( File "/usr/local/lib/python2.7/dist-packages/hvac/v1/__init.py", line 1264年,在__request allow_redirects=False, **_kwargs( 文件 "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 512,应要求提供 resp = self.send(prep, **send_kwargs( File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 622,在发送中 r = adapter.send(request, **kwargs( File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 511,在发送中 引发 SSLError(e, request=request( requests.exceptions.SSLError: HTTPSConnectionPool(host='10.xx.xx.xx', port=8200(: 最大重试次数 超出 url:/v1/auth/token/lookup-self(由 SSLError(SSLError("bad handshake: Error([('SSL routines', "tls_process_server_certificate"、"证书验证" 失败'(],(",(,(
根据 hvac 文档将 TLS 与客户端证书身份验证结合使用,您需要指定verify=server_cert_path
参数。
测试如下,我可以按预期得到结果。 顺便说一句,无论是否token
参数,它都可以成功运行。
import hvac
client = hvac.Client(url='https://127.0.0.1:8200',
token='xxxxxxxx',
cert=('server.crt',
'server.key'),
verify='ca.crt')
res = client.is_authenticated()
print("res:", res)