Error using nextclade dataset get behind proxy: CURLE_PEER_FAILED_VERIFICATION: SSL peer certificate or SSH remote key was not OK
#726
Comments
|
I'm not very familiar with proxy servers and how they might interact with curl here. Have you tried setting the following flags? CURLOPT_SSL_VERIFYPEER=0
CURLOPT_PROXY_SSL_VERIFYPEER=0
CURLOPT_SSL_VERIFYHOST=0
CURLOPT_PROXY_SSL_VERIFYHOST=0
nextclade get ...I found them here and through StackOverflow: https://www.php.net/manual/en/function.curl-setopt.php @ivan-aksamentov may know better things to try. In any case, you can download in any way you like, using All information is contained in this json: https://data.clades.nextstrain.org/index.json The latest dataset has the field Unzip that into a folder and you're ready to go. You may still run into proxy issues, but at least the problem is simplified to "download a zip file" and you don't need to worry about how Nextclade invokes curl. |
corneliusroemer
added
nextclade_data
|
@stefandiederich had a similar problem being behind a proxy before. Ivan gave some tips back then, but I'm not sure how it got resolved, see here: #552 #532 Maybe he can comment if he sees this. Watching the https://github.com/nextstrain/nextclade_data repo for new releases (maybe twice per month) and manually updating is the worst case. You could script something together that automatically uses the latest datset though. |
corneliusroemer
changed the title
nextclade dataset get behind proxy: CURLE_PEER_FAILED_VERIFICATION: SSL peer certificate or SSH remote key was not OK
|
Hi Eric @EricFournier3, Sorry, Nextclade does not have the proxy networking functionality and it seems to be out of scope of the project. You should bring that up with your IT team and tell them that their technical implementation prevents you from doing your job. It's their responsibility to ensure you can do your work effectively. Otherwise why they exist? Also note that these restrictions might be done on purpose. I.e. they don't want you to download any files from the internet. In that case, you are about to violate some rules, and it's no longer a technical problem - you should seek support of your superiors instead. If that does not work, you have a few options (from simple and sane to complicated and ridiculous, depending on how bad your situation is):
Unfortunately, we don't have bandwidth to support any of these use-cases officially, but feel free to reach out with questions. If you ever find a solution or a workaround, please post here so that other users could also benefit. If you or your colleagues have some time, you could also take a look at how proxy support might be implemented in nextclade. Nextclade is currently using libcurl for networking, and I know that curl has a We are planning some mid-term changes in Nextclade which may or may not help to resolve this - the network implementation will be different and it might have a better support for proxies (or not). |
|
I'll close this as |
|
Thank you. I will try one of your suggestions |
corneliusroemer
added
t:feat
|
It looks like a lot of people have this problem. So while we may not want to fix it in the current Nextclade version 1, maybe this is something to bear in mind when moving to Nextclade v2? |
|
@jacaravas has written a (workaround) shell script to replace |
|
I don't think the issue here is lack of proxy support. My understanding is that libcurl respects standard proxy environment variables unless they've been explicitly disabled/overridden by libcurl init options (which I assume Nextclade wouldn't be doing). Instead, I think nextclade's libcurl either…
Situation 1 seems most likely to me given the info so far. To fix this and retain the use of the proxy, @EricFournier3 should be able to set the This situation is fairly common. As an example of this happening elsewhere, @jacaravas ran into a similar issue in nextstrain/ncov with the Python |
|
Hi,
This could explain why I'll let you do your excellent development work from here, I'm back to my questionable existence as a sysadmin in an IT team. ;-) |
|
Thanks for your idea @pilem! |
|
Indeed @corneliusroemer! I will open a new bug report then, since we see the same behaviour with the current master, tag 2.0.0-alpha3. |
|
Hi @pilem thanks for trying Nextclade v2! How do you invoke the command? Is there an easy way for us to emulate your environment to be able to reproduce the error? (i.e. a dockerfile, a provisioning script for a VM etc.). My understanding is that Nextclade via Perhaps flipping it to openssl could work? Alternatively, I think Tangentially related: can you also help us to test Nextclade v2 with SOCKS proxies? |
|
Hi @ivan-aksamentov, I did my tests with your instructions for local dev with rustup and cargo, then: For info: It works fine when outside our corporate network and also It might be difficult to create a similar setup, you'll need a transparent web filtering device, or software, with custom trusted CA, and port forwarding on the default route. It's all feasible, but it would be a lot easier to look for system calls with As you can see, no calls to ssl/tls/cert/pki configs are made. With As I understand it, the problem comes with the vendoring features of cargo. When vendored, I can give a hand to test SOCKS proxy. This is easy to setup, only a container and environment variables are required, like https://hub.docker.com/r/serjs/go-socks5-proxy/. |
|
@pilem Have you tried the new Can you tell me more about your config? In particular:
I am really no expert on either, but I believe is that the implementation of client software is quite different for these two cases. If Nextclade still does not work with the proxy flags, then how can I detect the path to your custom cert file? If you have an env var with the path, or can provide it through a flag, then I might try to add a call to reqwest::ClientBuilder::add_root_certificate(). Do you think it may work? Update: I now see that I can use the https://github.com/alexcrichton/openssl-probe crate to find out the cert paths. Update2: And perhaps also the https://github.com/inejge/env_proxy to detect proxies. |
I don't believe we use native-tls vendoring. That would require turning on this feature: In fact, if I understand correctly, we don't use native-tls at all and it should always be rustls, which does not have vendoring and not using openssl library. |
ivan-aksamentov
removed
wontfix
|
I will be away for a few days, but if someone wants to take a look during that time, then the relevant code is:
|
|
Our setup is a transparent MITM web filtering configured on the network equipment. So no need for --proxy flag in our case. http/https requests use the default route with the default ports. The ssl/tls chain is broken by this filtering as https requests are remade by the transparent proxy, with its private certificate for internal communication. We use standard system path, but you've already found that. |
|
I've just found this proxy tool, mitmproxy, that does https with a private cert with basically no config. It could be useful for testing as it is easy to reproduce the same error as above with it. Installation and launch, use a separate xterm or a tmux/screen session as mitmproxy opens a text console. Import the mitmproxy generated CA cert in the host CA trusted store. Assuming Debian based distribution: Test with Test with Look at mitmproxy event log («E» on the text console): |
|
Using reqwest's default-features fix this issue @ivan-aksamentov, @corneliusroemer. I don't know if it breaks something else. This request works with mitmproxy and a self signed certificate: mitmproxy logs: |
|
@pilem Thanks for checking! Does it also work with your production hardware setup you mentioned previously? Enabling default features in There is a few effects:
So I cannot decide how to proceed. We could:
I'll think about it and I think I am mostly up for solution (1). However it was never my intent to write and maintain this functionality for a bioinformatics tool. It's way out of scope. |
|
It works well with our production hardware @ivan-aksamentov. |
This information is a distillation of guidance and assistance I've provided to CDC and other downstream users over the years. I extracted it from my various notes and recollections and verified some specific behaviour anew. An official reference page will be useful for pointing users to in the future, and serves as a collection point for future recommendations/information uncovered in troubleshooting sessions. Related-to: <nextstrain/ncov#1055> Related-to: <nextstrain/nextclade#726>
This information is a distillation of guidance and assistance I've provided to CDC and other downstream users over the years. I extracted it from my various notes and recollections and verified some specific behaviour anew. An official reference page will be useful for pointing users to in the future, and serves as a collection point for future recommendations/information uncovered in troubleshooting sessions. Related-to: <nextstrain/ncov#774> Related-to: <nextstrain/ncov#1055> Related-to: <nextstrain/nextclade#726>
This information is a distillation of guidance and assistance I've provided to CDC and other downstream users over the years. I extracted it from my various notes and recollections and verified some specific behaviour anew. An official reference page will be useful for pointing users to in the future, and serves as a collection point for future recommendations/information uncovered in troubleshooting sessions. Related-to: <nextstrain/ncov#774> Related-to: <nextstrain/ncov#1055> Related-to: <nextstrain/nextclade#726>
Use rustls-platform-verifier to verify certificates with the OS/platform's standard methods, including the system's standard CA trust store. See rustls-platform-verifier's documentation for details on each platform.¹ Previously, the system's trust store was ignored in favor of a baked in and unconfigurable trust store provided by webpki-roots. Updates reqwest as necessary to ensure a single compatible rustls version remains in use. Updates wasm-bindgen as necessary for the newer reqwest. ¹ <https://github.com/rustls/rustls-platform-verifier/blob/v/0.3.4/README.md> Resolves: <#726>
Use rustls-platform-verifier to verify certificates with the OS/platform's standard methods, including the system's standard CA trust store. See rustls-platform-verifier's documentation for details on each platform.¹ Previously, the system's trust store was ignored in favor of a baked in and unconfigurable trust store provided by webpki-roots. Updates reqwest as necessary to ensure a single compatible rustls version remains in use. Updates wasm-bindgen as necessary for the newer reqwest. ¹ <https://github.com/rustls/rustls-platform-verifier/blob/v/0.3.4/README.md> Resolves: <#726>
Use rustls-platform-verifier to verify certificates with the OS/platform's standard methods, including the system's standard CA trust store. See rustls-platform-verifier's documentation for details on each platform.¹ Previously, the system's trust store was ignored in favor of a baked in and unconfigurable trust store provided by webpki-roots. Updates reqwest as necessary to ensure a single compatible rustls version remains in use. Updates wasm-bindgen as necessary for the newer reqwest. ¹ <https://github.com/rustls/rustls-platform-verifier/blob/v/0.3.4/README.md> Resolves: <#726> Related-to: <#1527>
Allows adding additional CA certificates to the trust store specifically for Nextclade, for when modifying the system's trust store isn't desirable/possible. Works across all platforms. Currently requires using landed but unreleased changes to rustls-platform-verifier so that macOS and Windows have the needed Verifier::new_with_extra_certs() API. Notably, that API also changes signature between the latest released version (0.3.4) and the Git revision we're using. Related-to: <#1529> Related-to: <#726>
Allows adding additional CA certificates to the trust store specifically for Nextclade, for when modifying the system's trust store isn't desirable/possible. Works across all platforms. Currently requires using landed unreleased changes to rustls-platform-verifier so that macOS and Windows have the needed Verifier::new_with_extra_certs() API.¹ That API also has signature changes proposed² which, while unmerged, seem likely to land, so use those in anticipation. They actually bring the signature back closer to the latest release (0.3.4). ¹ <rustls/rustls-platform-verifier#58> ² <rustls/rustls-platform-verifier#145> Related-to: <#1529> Related-to: <#726>
Allows adding additional CA certificates to the trust store specifically for Nextclade, for when modifying the system's trust store isn't desirable/possible. Works across all platforms. Currently requires using landed but unreleased changes to rustls-platform-verifier so that macOS and Windows have the needed Verifier::new_with_extra_certs() API.¹ That API also has signature changes proposed² which, while unmerged, seem likely to land, so use those in anticipation. They actually bring the signature back closer to the latest release (0.3.4). ¹ <rustls/rustls-platform-verifier#58> ² <rustls/rustls-platform-verifier#145> Related-to: <#1529> Related-to: <#726>
…L trust store Previously, the platform's trust store was ignored in favor of a baked in and unconfigurable trust store provided by webpki-roots. Now the reqwest trust store will contain both certs obtained from the platform at run time as well as certs baked in via webpki-roots. Obtaining certs from the platform means that Nextclade will respect OS-level configuration to trust private CAs / self-signed certs. Keeping webpki-roots for all platforms is a precaution that makes this change merely additive for backwards compatibility, in case of platforms which lack a trust store (like some Linux containers) or platforms with out-of-date trust stores. It means that Nextclade binaries should continue to Just Work™. reqwest uses rustls-native-roots to obtain trusted CA certificates from the standard trust stores for the OS/platform. See the crate's documentation for details on each platform.¹ Notably, this does not use the platform's standard certificate verification methods like rustls-platform-verifier; it just extracts certificates. We may in the future want to switch to rustls-platform-verifier (ourselves or by waiting for reqwest to do so). Updates reqwest because an earlier (but problematic and now reverted²) change did so and there were some public API changes I'd like to use. Updates wasm-bindgen as necessary for the newer reqwest (≥0.2.89) and then a little further (0.2.93) to avoid Clippy warnings.³ ¹ <https://docs.rs/crate/rustls-native-certs/0.8.0> ² <#1529 (comment)>. ³ <rustwasm/wasm-bindgen#3985> Resolves: <#726> Related-to: <#1529> Related-to: <#1527>
…d --extra-ca-certs option Allows adding additional CA certificates to the trust store specifically for Nextclade, for when modifying the system's trust store isn't desirable/possible. Works across all platforms. An option may be preferred to an env var by some users or in some invocations. It also provides a convenient place for documentation of default CA cert handling and point of discovery for users. Co-authored-by: ivan-aksamentov <[email protected]> Supersedes: <#1527> Related-to: <#1529> Related-to: <#726>
…d --extra-ca-certs option Allows adding additional CA certificates to the trust store specifically for Nextclade, for when modifying the system's trust store isn't desirable/possible. Works across all platforms. An option may be preferred to an env var by some users or in some invocations. It also provides a convenient place for documentation of default CA cert handling and point of discovery for users. Co-authored-by: ivan-aksamentov <[email protected]> Supersedes: <#1527> Related-to: <#1529> Related-to: <#726>
…d --extra-ca-certs option Allows adding additional CA certificates to the trust store specifically for Nextclade, for when modifying the system's trust store isn't desirable/possible. Works across all platforms. An option may be preferred to an env var by some users or in some invocations. It also provides a convenient place for documentation of default CA cert handling and point of discovery for users. Co-authored-by: ivan-aksamentov <[email protected]> Supersedes: <#1527> Related-to: <#1529> Related-to: <#726>
nextclade version 1.10.2 on centos-release-7-4.1708.el7.centos.x86_64
Hi,
when I execute the following command,
nextclade dataset get --name sars-cov-2 --output-dir /home/[email protected]/temp/20220209/TESTNEXTLADEI get the following error
[ERROR] Nextclade: When fetching a file "https://data.clades.nextstrain.org/index.json": CURLE_PEER_FAILED_VERIFICATION: SSL peer certificate or SSH remote key was not OK
I got the same error when I append insecure in my ~/.curlrc
Actually, our process run under a proxy with ssl full inspection. The non-recognized certificate is on our side. Is there a way like curl to activate a switch to ignore the certificate ?
Can you please help me with this
Best,
Eric
The text was updated successfully, but these errors were encountered: