DOCKER - Zato Components SSL error


#1

Hi Guys

Hope that you can help!

We are creating two docker containers. One with a web admin and one with the load balancer and four servers.

I am getting the could not fetch the load balancers configuration error in the GUI. More specifically in the web admin logs I am getting this

21:MainThread - zato.admin.web.views.cluster:174 - Could not invoke agent, client:[<ServerProxy for 192.168.0.111:20151/RPC2>], e:[Traceback (most recent call last):
  File "/opt/zato/2.0.7/zato-web-admin/src/zato/admin/web/views/cluster.py", line 165, in index
    lb_config = client.get_config()
  File "/usr/lib/python2.7/xmlrpclib.py", line 1233, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib/python2.7/xmlrpclib.py", line 1587, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.7/xmlrpclib.py", line 1273, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib/python2.7/xmlrpclib.py", line 1301, in single_request
    self.send_content(h, request_body)
  File "/usr/lib/python2.7/xmlrpclib.py", line 1448, in send_content
    connection.endheaders(request_body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/opt/zato/2.0.7/eggs/springpython-1.3.0rc1-py2.7.egg/springpython/remoting/http.py", line 48, in connect
    self.sock = self.wrap_socket(sock)
  File "/opt/zato/2.0.7/eggs/springpython-1.3.0rc1-py2.7.egg/springpython/remoting/http.py", line 56, in wrap_socket
    ssl_version=self.ssl_version)
  File "/usr/lib/python2.7/ssl.py", line 487, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib/python2.7/ssl.py", line 241, in __init__
    ciphers)
SSLError: [Errno 0] _ssl.c:344: error:00000000:lib(0):func(0):reason(0)

This is the content of my dockerfile in the webadmin

RUN mkdir -p /opt/zato/env/web-admin
RUN mkdir -p /opt/zato/env/ca


# Create the CA
RUN $ZATO_BIN ca create ca $CA_PATH
RUN $ZATO_BIN ca create web_admin $CA_PATH


# Create the web admin
WORKDIR $WEB_ADMIN_PATH
RUN $ZATO_BIN create web_admin \
  --odb_host=$ODB_HOST \
  --odb_port=$ODB_PORT \
  --odb_user=$ODB_USER \
  --odb_db_name=$ODB_DB_NAME \
  --odb_password=$ODB_PASSWORD \
  --tech_account_password=$TECH_ACCOUNT_PASSWORD \
  $WEB_ADMIN_PATH $ODB_TYPE $PUB_KEY_PATH $PRIV_KEY_PATH \
  $CA_CERTS_PATH $TECH_ACCOUNT_NAME

And then the load balancer/server dockerfile.


# Create the CAs needed
# ========================================
RUN $ZATO_BIN ca create ca $CA_PATH
RUN $ZATO_BIN ca create web_admin $CA_PATH

# Load balancer ca create
# ========================================
RUN $ZATO_BIN ca create lb_agent $CA_PATH $ORGANIZATIONAL_UNIT

# Create the cluster if it does not exist.
# If the clustor does exist,
# ignore the error and continue
# ========================================
RUN $ZATO_BIN create cluster \
    --odb_host=$ODB_HOST \
    --odb_port=$ODB_PORT \
    --odb_user=$ODB_USER \
    --odb_db_name=$ODB_DB_NAME \
    --odb_password=$ODB_PASSWORD \
    --tech_account_password=$TECH_ACCOUNT_PASSWORD \
    $ODB_TYPE $LB_HOST $LB_PORT \
    $LB_AGENT_PORT $BROKER_HOST \
    $BROKER_PORT $CLUSTER_NAME \
    $TECH_ACCOUNT_NAME

# Create the load balancer.
# ========================================
RUN $ZATO_BIN create load_balancer \
    $LB_PATH \
    $CA_PATH/out-pub/lb-agent-*.pem \
    $CA_PATH/out-priv/lb-agent-*.pem \
    $CA_PATH/out-cert/lb-agent-*.pem \
    $CA_PATH/out-csr/lb-agent-*.pem

I’ve tried to use the same csr across the webadmin and load balancer and have also used the same csr in the ca-material folder. I’m all out of ideas of why this is not working.

Both docker containers are running on the same machine.


#2

The load-balancer has an agent in front of it:

https://zato.io/docs/architecture/load-balancer.html

That agent runs on port 20151 by default - does web-admin have access to that port?


#3

Hey Dsuch

Sorry for not gettig back to you sooner. Things have been super crazy lately.

I found the problem here, the issue is due to me creating the CA incorrectly and the WA couldn’t talk to the LB.

Thanks for the help!