[Reconnoiter-users] How to access the REST interface

Theo Schlossnagle jesus at omniti.com
Wed Mar 17 11:12:02 EDT 2010


I believe it does.  It should be in the output on the console or in the log files.

Make install should not copy those certs... You need to create your own.  Those are all snake-oil certs.

On Mar 17, 2010, at 11:00 AM, Rui Lopes wrote:

> Ah, that was it. make install didn't copy the SSL key and certificate
> files into the installed etc directory. Copying them (noit.crt,
> noit.key and ca.crt) manually from the test directory works fine now.
> 
> Maybe noitd should complain about missing key/certificate files?
> 
> Thanks!
> 
> Best regards,
> Rui Lopes
> 
> On Wed, Mar 17, 2010 at 2:23 PM, Theo Schlossnagle <jesus at omniti.com> wrote:
>> It sounds like perhaps noitd doesn't have its certs setup right.  The PKI configuration across all these things must be complete and correct or they will not trust each other.
>> 
>> All the certs must be signed by a CA that is listed in the configured ca chain in each component.  If you run make in trunk, it will configure a whole bunch of test certs in the test directory and produce a test-noit.conf that _should_ work.  This shouldn't be used for production, of course, but it should provide a good working example.
>> 
>> On Mar 17, 2010, at 10:20 AM, Rui Lopes wrote:
>> 
>>> Hi,
>>> 
>>> I'm just running noitd. Just to be sure, here's netstat output:
>>> 
>>> tcp        0      0 0.0.0.0:43191           0.0.0.0:*
>>> LISTEN      6099/noitd
>>> tcp        0      0 0.0.0.0:32322           0.0.0.0:*
>>> LISTEN      6099/noitd
>>> tcp        0      0 0.0.0.0:32323           0.0.0.0:*
>>> LISTEN      6099/noitd
>>> raw        0      0 0.0.0.0:1               0.0.0.0:*               7
>>>         6099/noitd
>>> raw6       0      0 :::1                    :::*                    7
>>>         6099/noitd
>>> unix  2      [ ACC ]     STREAM     LISTENING     22455    6099/noitd
>>>        /tmp/noit
>>> 
>>> Thanks for the flags tip! I didn't notice the --insecure/-k flag.
>>> Though, please note that noitd just drops the connection (the SSL
>>> handshake is not even started); the actual error as displayed by curl
>>> is:
>>> 
>>> curl: (35) Unknown SSL protocol error in connection to localhost:43191
>>> 
>>> Any idea how to troubleshoot this? or what might be wrong?
>>> 
>>> BTW, I'm running noitd as: sudo noitd -dD
>>> 
>>> Best regards,
>>> Rui Lopes
>>> 
>>> On Wed, Mar 17, 2010 at 2:04 PM, Theo Schlossnagle <jesus at omniti.com> wrote:
>>>> By default stratcon and noit both use 43191 -- they should be run on separate machines.  So, if you are running both, you could be connecting to stratcon which doesn't understand that REST call.
>>>> 
>>>> Don't turn off SSL.  And help yourself a little with more flags to curl: -k and -D-
>>>> That should avoid the unknown CA chain and give you the HTTP headers sent back which will tell you more.
>>>> 
>>>> On Mar 17, 2010, at 8:43 AM, Rui Lopes wrote:
>>>> 
>>>>> Hello,
>>>>> 
>>>>> How can we access the REST interface?
>>>>> 
>>>>>> From the docs [0], this should be something like:
>>>>> 
>>>>>  curl --cert test/client.crt --key test/client.key
>>>>> https://localhost:43191/checks/show/f7cea020-f19d-11dd-85a6-cb6d3a2207dc
>>>>> 
>>>>> But for some reason that fails. I've also tried to use netcat (nc
>>>>> localhost 43191), but the connection is immediately disconnected; I've
>>>>> tried to disable SSL by modifying:
>>>>> 
>>>>>  <listener type="control_dispatch" address="*" port="43191" ssl="off">
>>>>> 
>>>>> I can now connect using netcat, but if I try to issue the HTTP
>>>>> request, it does not work.
>>>>> 
>>>>> Any idea how to make it work?
>>>>> 
>>>>> BTW, I'm using todays trunk version. And I'm using the default noitd
>>>>> configuration, except the checks section, which is:
>>>>> 
>>>>> <checks max_initial_stutter="30000" filterset="default">
>>>>>    <local timeout="4000" period="5000" target="127.0.0.1">
>>>>>        <check uuid="f7cea020-f19d-11dd-85a6-cb6d3a2207dc" module="selfcheck"/>
>>>>>        <check uuid="1b4e28ba-2fa1-11d2-883f-b9b761bde3fb" module="ping_icmp"/>
>>>>>        <check uuid="1cddb2a8-76ff-11dd-83c8-f75cb8b93bd9" module="ssh2"/>
>>>>>    </local>
>>>>> </checks>
>>>>> 
>>>>> TIA!
>>>>> 
>>>>> Best regards,
>>>>> Rui Lopes
>>>>> 
>>>>> [0] https://labs.omniti.com/docs/reconnoiter/noitd.wire.protocol.html#id322454
>>>>> _______________________________________________
>>>>> Reconnoiter-users mailing list
>>>>> Reconnoiter-users at lists.omniti.com
>>>>> http://lists.omniti.com/mailman/listinfo/reconnoiter-users
>>>> 
>>>> --
>>>> Theo Schlossnagle
>>>> http://omniti.com/is/theo-schlossnagle
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>> 
>> --
>> Theo Schlossnagle
>> http://omniti.com/is/theo-schlossnagle
>> 
>> 
>> 
>> 
>> 
>> 

--
Theo Schlossnagle
http://omniti.com/is/theo-schlossnagle








More information about the Reconnoiter-users mailing list