Posted on June 19, 2017 11:21 am
 |  Asked by Kyle O'Donnell
 |  991 views
RESOLVED
0
0
Print Friendly, PDF & Email

 Hi,

I’m using the eAPI for rphm (https://github.com/arista-eosext/rphm), which is awesome btw, and on a few switches I’m having eAPI auth errors.

On the servers that have no issue, the following works:

https://user:pass@switch.com/

On the switches that rphm doesn’t work, that URL does not automatically log me in, instead it prompts for the user/pass (htaccess style) again.

Any ideas what this might be?

Thanks,

0
Posted by Alexandru
Answered on June 19, 2017 2:57 pm

Hi Kyle,

Are there any differences in configuration/EOS version running on the working and non-working switches?
Are the non working switches newly switches by any chance?

Also if you run the following command do you get a certificate error?
rphm --test parse_only --debug

0
Posted by Ahmed Mostafa
Answered on June 19, 2017 3:14 pm

Hello

what error do you get when you try to install the RPHM?

Is all the switches using same EOS?

 

1
Posted by Alexandru
Answered on June 29, 2017 3:14 pm

Hi Kyle,

Looping back to close this issue as we have discussed with the maintainer of this app:

    This is due to the fact that EOS eAPI uses self-signed certificates by default and newer versions of Python come with SSL certificate validation enforced by default. The proper resolution is to install valid, trusted certificates on all devices. If that is not desired, another option is to disable certificate validation within Python. In this case, the data will still be encrypted but you have no assurance that you are communicating with a trusted device.

There is a pull request in place that will most likely solve the issue you are seeing in regard to rphm once it is merged:
https://github.com/arista-eosext/rphm/pull/7

If you wish to use curl or wget or similar please run the queries with the certificate validation turned off.

For curl you can try -k, –insecure (SSL). This option explicitly allows curl to perform “insecure” SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default. This makes all connections considered “insecure” fail unless -k, –insecure is used.

For wget the –no-check-certificate [don’t validate the server’s certificate] can be used.

Post your Answer

You must be logged in to post an answer.