Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

First record does not look like a TLS handshake #272

Open
tsmjay opened this issue Jul 19, 2024 · 4 comments
Open

First record does not look like a TLS handshake #272

tsmjay opened this issue Jul 19, 2024 · 4 comments

Comments

@tsmjay
Copy link

tsmjay commented Jul 19, 2024
edited
Loading

Hi,

This is the process I'm following:

  1. Take a recent build of SONiC
  2. Run it in GNS3
  3. Get a bash shell inside the 'docker-sonic-gnmi' container
  4. Run the example gNMI 'get' command

When I do that, I get the following:

root@sonic:/# gnmi_get -insecure -username admin -password YourPaSsWoRd -xpath /openconfig-interfaces:interfaces/interface[name=Ethernet0]/config -target_addr 127.0.0.1:8080 -xpath_target OC-YANG
== getRequest:
prefix: <
  target: "OC-YANG"
>
path: <
  origin: "openconfig-interfaces"
  elem: <
    name: "interfaces"
  >
  elem: <
    name: "interface"
    key: <
      key: "name"
      value: "Ethernet0"
    >
  >
  elem: <
    name: "config"
  >
>
encoding: JSON_IETF

F0719 18:58:12.816922      67 gnmi_get.go:145] Get failed: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: first record does not look like a TLS handshake"
root@sonic:/#

I have tested the master, 202405, 202311 and 202305 branches.

Am I missing something?

Thanks.
@fishingfly
Copy link

fishingfly commented Sep 5, 2024
edited
Loading

try?

gnmi_get -notls -username admin -password YourPaSsWoRd -xpath /openconfig-interfaces:interfaces/interface[name=Ethernet0]/config -target_addr 127.0.0.1:8080 -xpath_target OC-YANG

@puffc
Copy link

puffc commented Nov 7, 2024

@fishingfly root@sonic:/# gnmi_get -notls -username admin -password YourPaSsWoRd -xpath /openconfig-interfaces:interfaces/interface[name=Ethernet0]/config -target_addr 127.0.0.1:8080 -xpath_target OC-YANG
F1107 08:22:16.200512 1098 gnmi_get.go:86] Dialing to "127.0.0.1:8080" failed: grpc: the credentials require transport level security (use grpc.WithTransportCredentials() to set)

@slicking
Copy link

@sachinholla FYI

@sachinholla
Copy link
Contributor

@puffc, by default the gNMI server runs in no authentication mode. So, you can omit the -username and -password arguments. Looks like go grpc library does not allow credentials in no-TLS mode. gnmi_get -notls -target_addr 127.0.0.1:8080 -xpath ....

About the "first record does not look like a TLS handshake" error -- gNMI server requires certificate configurations to run in TLS mode. You can run following commands from host linux prompt (outside telemetry container) and restart the container.

openssl req -x509 -new -newkey rsa:2048 -nodes -sha256 -days 999 \
    -subj "/CN=[test.sonicfoundation.dev](http://test.sonicfoundation.dev/)" \
    -addext "keyUsage = digitalSignature, keyEncipherment" \
    -addext "extendedKeyUsage = serverAuth, clientAuth" \
    -out /etc/sonic/server_crt.pem -keyout /etc/sonic/server_key.pem
 
sonic-db-cli CONFIG_DB hset 'GNMI|certs' \
    server_crt /etc/sonic/server_crt.pem \
    server_key /etc/sonic/server_key.pem \
    ca_crt ""

Now, the gnmi_get can be used without -notls option; use -insecure to skip certificate validation at the client side. gnmi_get -insecure -target_addr 127.0.0.1:8080 -xpath ....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@slicking @puffc @fishingfly @sachinholla @tsmjay