Hi, Just found the issue. Nothing to do with cockpit at all! After turning on the nginx debugging, the SSL handshake was clean - the problem lay in the request url itself. My API was using flask directly before and this issue wasn't a problem, but nginx picked it up.
Thanks! PC On Thu, May 9, 2019 at 6:04 PM Paul Cuzner <[email protected]> wrote: > > Hi, > > I have a https (self signed) RESTAPI running in a container on > localhost(uses host networking) that I'm trying to access from my > cockpit plugin. However, despite numerous changes, I can't get it to > work. > > Can someone tell me what I'm doing wrong? > > I've confirmed that the crt and key files work against the API with curl > curl -i -k --key /etc/ansible-runner-service/certs/client/client.key > --cert /etc/ansible-runner-service/certs/client/client.crt > https://localhost:5001/api/v1/playbooks > HTTP/1.1 200 OK > Server: nginx/1.12.2 > Date: Thu, 09 May 2019 05:43:05 GMT > Content-Type: application/json > Content-Length: 183 > Connection: keep-alive > > The client crt and key files start with "----BEGIN CERTIFICATE-----", > and "-----BEGIN RSA PRIVATE KEY-----" respectively - so I believe the > format is OK. they also are readable > [root@rh460p client]# ls -al > total 32 > drwxr-xr-x. 2 root root 4096 May 9 16:37 . > drwxr-xr-x. 5 root root 4096 May 9 17:16 .. > -rw-r--r--. 1 root root 1424 May 9 12:39 client.crt > -rw-r--r--. 1 root root 891 May 9 12:39 client.key > > (The client key was created with 1024bits) > > My plugin has this defined for the http interaction; > > const apiPort = 5001; > const apiHost = 'localhost'; > const http = cockpit.http({ > "address": apiHost, > "port": apiPort, > "tls": { > "certificate": { > "file": "/etc/ansible-runner-service/certs/client/client.crt", > }, > "key": { > "file": "/etc/ansible-runner-service/certs/client/client.key", > }, > "validate": false // localhost isn't tls validated anyway > } > }); > > export function checkAPI(svcToken) { > console.log("checking API is there @ " + now()); > return http.get("api"); // , null, {Authorization: svcToken}); > } > > When checkAPI gets called the connection to the API fails. In the > client browser I get > error {"status":400,"reason":"Bad Request","message":"Bad > Request","problem":null} > > In nginx's log within the container, I see > [info] 19#0: *72 client sent invalid request while reading client > request line, client: 127.0.0.1, server: , request: "GET api HTTP/1.1" > > I get the same result with and without selinux enabled (couldn't see > any denied messages in the audit.log anyway!) > > > Hopefully this makes some sense... _______________________________________________ cockpit-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
