Solace Community is getting a facelift!

On March 3rd we will be starting the process of migrating Solace Community to a new platform. As a result, Solace Community will go in to a temporary read-only state. You will still be able to come onto Solace Community and search through posts to find answers, but you won't be able to ask questions, post comments, or react in any way.

We hope to have the migration complete by Wednesday March 5th (or sooner), so please keep an eye out!

Python TLS Connection Reset By Peer

MrSmart
MrSmart Member Posts: 29 ✭✭✭
edited August 2023 in Connectors & Integrations #1

I'm a bit at loss here, Solace shows everything is ready to accept TLS connections but it refuses with the following error on the client side:

solace.messaging.errors.pubsubplus_client_error.PubSubPlusCoreClientError: {'caller_description': 'do_connect', 'return_code': 'Not ready', 'sub_code': 'SOLCLIENT_SUBCODE_COMMUNICATION_ERROR', 'error_info_sub_code': 14, 'error_info_contents': 'TCP: Could not read from socket 8, error = Connection reset by peer (104)'}

Port 55443 is being listened to on the server, the port is open in the Firewall Security Group.

image.png

Solace TLS Status on VPN:

image.png

General TLS Settings:

image.png

And some python code:

broker_props = {
"solace.messaging.transport.host": f"tcp://{host1}:55443,tcp://{host2}:55443",
"solace.messaging.service.vpn-name": "default",
"solace.messaging.authentication.scheme.basic.username": credentials_username,
"solace.messaging.authentication.scheme.basic.password": credentials_password
}

Same result with both security strategies:

#transport_security_strategy = TLS.create().with_certificate_validation(True, False, "/etc/ssl/certs/ca-certificates.crt")

transport_security_strategy = TLS.create().without_certificate_validation()

And our connection:

messaging_service = MessagingService.builder().from_properties(broker_props).with_reconnection_retry_strategy(RetryStrategy.parametrized_retry(20,3)).with_transport_security_strategy(transport_security_strategy).build()

messaging_service.connect()

Tagged:

Comments

  • MrSmart
    MrSmart Member Posts: 29 ✭✭✭
    edited August 2023 #2

    Just to add, connections via port 55555 work fine, messages are being accepted

  • amackenzie
    amackenzie Member, Employee Posts: 270 Solace Employee
    #3

    You should be using tcps:// as the protocol, I believe.

  • MrSmart
    MrSmart Member Posts: 29 ✭✭✭
    #4

    That actually did the trick, now it says:

    solace.messaging.errors.pubsubplus_client_error.PubSubPlusCoreClientError: SESSION CREATION UNSUCCESSFUL. Untrusted certificate. {'caller_description': 'do_connect', 'return_code': 'Not ready', 'sub_code': 'SOLCLIENT_SUBCODE_UNTRUSTED_CERTIFICATE', 'error_info_sub_code': 99, 'error_info_contents': "Session '(c0,s1)_default': The peer certificate is not trusted, rc='unable to get local issuer certificate'"}

    There is a working Let's Encrypt certificate active inside the broker.

    I link to the default Ubuntu CA Trust Store

    image.png

    When I use without_certificate_validation() the connection works fine! So thank you for that at least :)

  • marc
    marc Member, Administrator, Moderator, Employee Posts: 973 admin
    #5

    Hi @MrSmart,

    Did you verify that LetsEncrypt is a valid certificate authority per your system? I tried a quick google but couldn't find a default list for ubuntu. Maybe try something like this: https://unix.stackexchange.com/questions/97244/list-all-available-ssl-ca-certificates

    Hope that helps!

  • MrSmart
    MrSmart Member Posts: 29 ✭✭✭
    #6

    Hi @marc,

    This is what Let's Encrypt mentions on their site:

    image.png

    This is what the Ubuntu server gives back when listing all certificate subjects:

    image.png

    So I guess this should be able to work somehow. But it doesn't.

  • amackenzie
    amackenzie Member, Employee Posts: 270 Solace Employee
    #7

    The 3rd parameter of the `with_certificate_validation()` method is `trust_store_file_path`. Have you tried passing `/etc/ssl/certs`?

  • MrSmart
    MrSmart Member Posts: 29 ✭✭✭
    #8

    Well, it gave me something:

    2023-08-18 09:54:55,794 [WARNING] solace.messaging.core: [_solace_transport.py:84] [[SERVICE: 0x7f726dc14280] - [APP ID: eupq01/796/00000001/cyDP6jieow]] {'caller_description': 'From service event callback', 'return_code': 'Ok', 'sub_code': 'SOLCLIENT_SUBCODE_FAILED_LOADING_TRUSTSTORE', 'error_info_sub_code': 98, 'error_info_contents': "Session '(c0,s1)_default': files in trust store '/etc/ssl/certs' over the limit (64 files allowed)!"}

    Guess this would be a dead end then. I'm a guest at this server and have no influence over the trust store.

  • amackenzie
    amackenzie Member, Employee Posts: 270 Solace Employee
    #9

    Can you point to the certificate path directly? It would live at /etc/letsencrypt/live/domain_name.

  • MrSmart
    MrSmart Member Posts: 29 ✭✭✭
    edited August 2023 #10

    the let's encrypt certificate is on the broker server, this is the publisher server trying to push messages to the broker.

  • amackenzie
    amackenzie Member, Employee Posts: 270 Solace Employee
    #11

    Oh right... so do you have some way of getting the public cert so you can put it on a folder with less files?

  • MrSmart
    MrSmart Member Posts: 29 ✭✭✭
    #12

    well no, not really, aside from doing it manually I guess, but I'm not looking forward to be doing that every 2 months. If only we could raise the limit of 64, that would make the most sense.

Categories

This Month's Leaders

This Week's Leaders