SSL Self-Signed Certificate Authentication Through API Call
AnsweredSummary
I am trying to create a template python script that I can use to pull all different kinds of information from the server API. Ideally, if I can make this work, our technical support team can use these scripts to obtain all kinds of useful data. In my current script, I have successfully been able to create a script that can pull server names with their GUIDs, but only if I have the request ignore verification of SSL. I'm struggling to figure out how to direct the call to pull the default.pem information from the server and utilize the certificate when attempting to authenticate.
Environment
<
- Nx Witness Version: DW Spectrum IPVMS 5.1.0.37133
- Client OS: N/A
- Server OS: Windows 10 for now, Ubuntu 18.04 after I figure out the rest.
- Network Topology: Script is designed to work from anywhere that can access the server via IP:PORT
- Special features: Python script, primarily using JSON/Application.
>
Reproduction Scenario
import json, import requests, import urllib3, import os
Not putting the entire script, but the part I'm focused on;
r = requests.get('https://' + IP ':" + PORT, verify= ')
How can I have the get request verify the self-signed certificate from the server itself?
Expected Behavior
Attempted to have verify= (filepath to default.pem)
Actual Behavior
Invalid path
OSError: Could not find a suitable TLS CA certificate bundle, invalid path:
Additional Information
I can share the base script if needed, though I'm sure its something simple that I just don't know yet / am overlooking. I can get the scripts to work if I set verify=False, but I want to use this script in technical support and don't want it to be susceptible to MiTM attacks or other security risks.
-
Hello Rhaphiel Molinar,
I guess, these articles might help you to build the proper solution
https://support.networkoptix.com/hc/en-us/articles/16635062678039
-
Rhaphiel Molinar did you figure it out? or do you still need help?
-
Oh wow, I was working on other projects semi-related to this and forgot that I even posted this. I almost accidentally posted the same thing a couple of days ago. I think this can potentially help down the line, but its less so that I need to create a new self-signed SSL but instead have my script communicate with the existing default.pem certificate within Spectrum.
Ideally, I want the script to be able to authenticate using the existing resources on the server (since this script is intended to be ran on the server).
I want the requests.get command that I have to verify with the existing certificate. I've found documentation online that *generally* explains how to verify the certificate.
In trying to do so, I have it pointing the authentication to the default.pem certificate but it still fails. Should this be pointing elsewhere?
Example:
import requests
import urllib3
import os
import ssl
ca = ('C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Digital Watchdog\\Digital Watchdog Media Server\\ssl\\default.pem')
requests.get("http://127.0.0.1:7001/rest/v2/servers/this/info?_with=id", auth=basic, verify=ca)
Basically, I don't want it to have to create a new cert for reference if I don't have to, I want it to try to utilize the existing certificates that are already on the server (either under C:\Windows\System32\config\systemprofile\AppData\Local\Digital Watchdog\Digital Watchdog Media Server\ssl or /opt/digitalwatchdog/mediaserver/var/ssl)
Has this been done/can it be done?
Please sign in to leave a comment.
Comments
3 comments