Login to RemoteSite failed

Uller · November 9, 2021, 7:43am

I have a Master Site in my companies network on a linux CentOs 8 Server and a remote site on a CentOs 8 Server in the azure cloud.

Livestatus is online and connected, but i cannot login to the remote site to push config to the master site. I get the following error:

Internal error: (‘Connection aborted.’, ConnectionResetError(104, ‘Connection reset by peer’))
Traceback (most recent call last):
File “/omd/sites/Main/lib/python3/urllib3/connectionpool.py”, line 670, in urlopen
httplib_response = self._make_request(
File “/omd/sites/Main/lib/python3/urllib3/connectionpool.py”, line 426, in _make_request
six.raise_from(e, None)
File “”, line 3, in raise_from
File “/omd/sites/Main/lib/python3/urllib3/connectionpool.py”, line 421, in _make_request
httplib_response = conn.getresponse()
File “/omd/sites/Main/lib/python3.8/http/client.py”, line 1347, in getresponse
response.begin()
File “/omd/sites/Main/lib/python3.8/http/client.py”, line 307, in begin
version, status, reason = self._read_status()
File “/omd/sites/Main/lib/python3.8/http/client.py”, line 268, in _read_status
line = str(self.fp.readline(_MAXLINE + 1), “iso-8859-1”)
File “/omd/sites/Main/lib/python3.8/socket.py”, line 669, in readinto
return self._sock.recv_into(b)
ConnectionResetError: [Errno 104] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/omd/sites/Main/lib/python3/requests/adapters.py”, line 439, in send
resp = conn.urlopen(
File “/omd/sites/Main/lib/python3/urllib3/connectionpool.py”, line 726, in urlopen
retries = retries.increment(
File “/omd/sites/Main/lib/python3/urllib3/util/retry.py”, line 403, in increment
raise six.reraise(type(error), error, _stacktrace)
File “/omd/sites/Main/lib/python3/urllib3/packages/six.py”, line 734, in reraise
raise value.with_traceback(tb)
File “/omd/sites/Main/lib/python3/urllib3/connectionpool.py”, line 670, in urlopen
httplib_response = self._make_request(
File “/omd/sites/Main/lib/python3/urllib3/connectionpool.py”, line 426, in _make_request
six.raise_from(e, None)
File “”, line 3, in raise_from
File “/omd/sites/Main/lib/python3/urllib3/connectionpool.py”, line 421, in _make_request
httplib_response = conn.getresponse()
File “/omd/sites/Main/lib/python3.8/http/client.py”, line 1347, in getresponse
response.begin()
File “/omd/sites/Main/lib/python3.8/http/client.py”, line 307, in begin
version, status, reason = self._read_status()
File “/omd/sites/Main/lib/python3.8/http/client.py”, line 268, in _read_status
line = str(self.fp.readline(_MAXLINE + 1), “iso-8859-1”)
File “/omd/sites/Main/lib/python3.8/socket.py”, line 669, in readinto
return self._sock.recv_into(b)
urllib3.exceptions.ProtocolError: (‘Connection aborted.’, ConnectionResetError(104, ‘Connection reset by peer’))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/omd/sites/Main/lib/python3/cmk/gui/wato/pages/sites.py”, line 602, in _action_login
secret = watolib.do_site_login(login_id, name, passwd)
File “/omd/sites/Main/lib/python3/cmk/gui/watolib/automations.py”, line 364, in do_site_login
response = get_url(url, site.get(‘insecure’, False), auth=(name, password),
File “/omd/sites/Main/lib/python3/cmk/gui/watolib/automations.py”, line 337, in get_url
return get_url_raw(url, insecure, auth, data, files, timeout).text
File “/omd/sites/Main/lib/python3/cmk/gui/watolib/automations.py”, line 309, in get_url_raw
response = requests.post(
File “/omd/sites/Main/lib/python3/requests/api.py”, line 116, in post
return request(‘post’, url, data=data, json=json, **kwargs)
File “/omd/sites/Main/lib/python3/requests/api.py”, line 60, in request
return session.request(method=method, url=url, **kwargs)
File “/omd/sites/Main/lib/python3/requests/sessions.py”, line 533, in request
resp = self.send(prep, **send_kwargs)
File “/omd/sites/Main/lib/python3/requests/sessions.py”, line 646, in send
r = adapter.send(request, **kwargs)
File “/omd/sites/Main/lib/python3/requests/adapters.py”, line 498, in send
raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: (‘Connection aborted.’, ConnectionResetError(104, ‘Connection reset by peer’))

I disabled SELinux on both servers. I opend the port 6557 to connect to my remote site server in azure.
I followed these guide Verteiltes Monitoring - Checkmk skalieren und verteilen

Does anyone have a solution for that problem?

robin.gierse · November 9, 2021, 7:48am

You will need HTTP/S (Ports 80 or 443) to log in to that that site. Port 6557 is only for Livestatus.
I highly recommend securing your web interfaces with HTTPS.

Uller · November 9, 2021, 7:54am

Thank you for your answer. I’ll open the Port 443 and let you know if my problem is solved. Do I have to let the port open after login?

robin.gierse · November 9, 2021, 7:59am

Do I have to let the port open after login?

Yes, because that is how the configuration is being pushed to that site.

ChristianM · November 9, 2021, 11:12am

Hi,
did you check selinux settings on the remote site?
Regards,
Christian

Uller · November 9, 2021, 6:46pm

Thank you for your answer. I disabled selinux on both hosts.

Uller · November 9, 2021, 6:49pm

I opend the port 443 in my azure firewall, so that the configuration can be pushen. That was the problem. Now I am able to configure the remote site through my main site. Thank you for your answers.

Uller · November 10, 2021, 8:44am

Now my remote-site (on a centos 8 linux vm in azure) is connected to my main monitoring site. When I try to login to that remote-site i get the following Error:

Internal error: HTTPSConnectionPool(host='monitoring.gemdat.cloud', port=443): Max retries exceeded with url: /Kunden/check_mk/login.py (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))
Traceback (most recent call last):
File "/omd/sites/Main/lib/python3/urllib3/contrib/pyopenssl.py", line 488, in wrap_socket
cnx.do_handshake()
File "/omd/sites/Main/lib/python3/OpenSSL/SSL.py", line 1934, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/omd/sites/Main/lib/python3/OpenSSL/SSL.py", line 1671, in _raise_ssl_error
_raise_current_error()
File "/omd/sites/Main/lib/python3/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/omd/sites/Main/lib/python3/urllib3/connectionpool.py", line 670, in urlopen
httplib_response = self._make_request(
File "/omd/sites/Main/lib/python3/urllib3/connectionpool.py", line 381, in _make_request
self._validate_conn(conn)
File "/omd/sites/Main/lib/python3/urllib3/connectionpool.py", line 978, in _validate_conn
conn.connect()
File "/omd/sites/Main/lib/python3/urllib3/connection.py", line 362, in connect
self.sock = ssl_wrap_socket(
File "/omd/sites/Main/lib/python3/urllib3/util/ssl_.py", line 384, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/omd/sites/Main/lib/python3/urllib3/contrib/pyopenssl.py", line 494, in wrap_socket
raise ssl.SSLError("bad handshake: %r" % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/omd/sites/Main/lib/python3/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/omd/sites/Main/lib/python3/urllib3/connectionpool.py", line 726, in urlopen
retries = retries.increment(
File "/omd/sites/Main/lib/python3/urllib3/util/retry.py", line 439, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='monitoring.gemdat.cloud', port=443): Max retries exceeded with url: /Kunden/check_mk/login.py (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/omd/sites/Main/lib/python3/cmk/gui/wato/pages/sites.py", line 602, in _action_login
secret = watolib.do_site_login(login_id, name, passwd)
File "/omd/sites/Main/lib/python3/cmk/gui/watolib/automations.py", line 364, in do_site_login
response = get_url(url, site.get('insecure', False), auth=(name, password),
File "/omd/sites/Main/lib/python3/cmk/gui/watolib/automations.py", line 337, in get_url
return get_url_raw(url, insecure, auth, data, files, timeout).text
File "/omd/sites/Main/lib/python3/cmk/gui/watolib/automations.py", line 309, in get_url_raw
response = requests.post(
File "/omd/sites/Main/lib/python3/requests/api.py", line 116, in post
return request('post', url, data=data, json=json, **kwargs)
File "/omd/sites/Main/lib/python3/requests/api.py", line 60, in request
return session.request(method=method, url=url, **kwargs)
File "/omd/sites/Main/lib/python3/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/omd/sites/Main/lib/python3/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/omd/sites/Main/lib/python3/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='monitoring.gemdat.cloud', port=443): Max retries exceeded with url: /Kunden/check_mk/login.py (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))

I installed a wildcard certificate and i can connect via https to my remotesite with a browser, the certificate is valid und the connection is encrypted. I dont know why I am getting this error from checkmk. When I check the “ignore tls errors” then I can login to that remote-site. Is there anything else? Port 443 and 6557 are open - tested with netcat / telnet.

Uller · November 10, 2021, 1:17pm

That was my fault, I did not import the hole certificate chain, so the browser accepted it but the login from my main site got an error. Everything works just fine now.

robin.gierse · November 10, 2021, 4:27pm

That happens quite a lot because people do not know, that most browsers will assemble the certificate chain themselves but many command line tools and in this case python do expect a proper chain delivered by the web server.

akhil · July 6, 2022, 10:07am

@robin.gierse @Uller
Which certificate do we need to use? I have created a script to integrate with opsgenie.I am getting the same error. I provided verify=/etc/ssl/certs/ca-certificate.crt but it is not working getting below error.

requests.exceptions.SSLError: HTTPSConnectionPool(host='api.eu.opsgenie.com', port=443): Max retries exceeded with url: /v1/json/checkmk?apiKey=xxxxxxxxxxxxxxxxx (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

robin.gierse · July 6, 2022, 10:26am

@akhil this is totally unrelated, please open a new thread.

system · July 6, 2023, 10:27am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.