Not receiving http requests

[Aitor Gartziandia]

Hi,

I am trying to exchange data with a ThingSpeak application by http in Node-red.

I am able to make POST and GET requests succesfully by the http request node, but I am unable to make requests to the Node-red server.

I have tried to make requests from ThingSpeak with no success and also tried to make requests from the linux interface on the Conduit using curl command, which returns error “Connection reset by peer”. The requests made to ThingSpeak from the Conduit by curl command are succesful.

My http in node is configured as follows:

METHOD: GET
URL: /test

The command executed and the response received are the following:

admin@mtcdt:~# curl http://192.168.1.47:1880/test -v
* Hostname was NOT found in DNS cache
* Trying 192.168.1.47…
* Connected to 192.168.1.47 (192.168.1.47) port 1880 (#0)
> GET /test HTTP/1.1
> User-Agent: curl/7.35.0
> Host: 192.168.1.47:1880
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

The same happens with POST requests.

What may be failing?

Thanks.

[Aitor Gartziandia]

I have figured out that the issue is caused by the CA certificate error.

Is there any way this error can be solved?

Thanks!

[Jeff Hatch]

Aitor,

Which certificate error is being generated? It may be possible that certificate validation is failing due to curl not having a root CA to verify the server certificate, or it could be server side certificate authentication failing because the Conduit is using a self-signed certificate, or it could be a number of other things.

Jeff

[Aitor Gartziandia]

I have tried https with curl and wget and obtained the same result.

admin@mtcdt:~# wget https://127.0.0.1:1880/test
–2017-01-31 07:49:05– https://127.0.0.1:1880/test
Connecting to 127.0.0.1:1880… connected.
ERROR: cannot verify 127.0.0.1’s certificate, issued by ‘/C=US/ST=Minnesota/L=Minneapolis/CN=ocg.example.com’:
Self-signed certificate encountered.
ERROR: certificate common name ‘ocg.example.com’ doesn’t match requested host name ‘127.0.0.1’.
To connect to 127.0.0.1 insecurely, use `–no-check-certificate’.
admin@mtcdt:~# wget http://127.0.0.1:1880/test
–2017-01-31 07:49:53– http://127.0.0.1:1880/test
Connecting to 127.0.0.1:1880… connected.
HTTP request sent, awaiting response… Read error (Connection reset by peer) in headers.
Retrying.

admin@mtcdt:~# curl https://127.0.0.1:1880/test
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the –cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or –insecure) option.

If I execute curl –insecure https://127.0.0.1:1880/test or wget –no-check-certificate https://127.0.0.1:1880/test, the requests are succesful. However, I cannot use this option if I make a request from ThingSpeak or other platforms.

Any solution?

Thanks!

[Jeff Hatch]

Aitor,

Just want to make sure that you understand that all the -k option is doing is turning off the server authentication. You will still have a secure session with SSL.

There are a number of CA certificates on the AEP Conduit at /usr/share/ca-certificates/mozilla. Depending on what root CA that the ThingSpeak platform uses, you may be able to point to one of the CA certificates in this directory to authenticate the server certificate.

However, from what I see coming from the wget output, it appears to be having a problem with the self signed certificate on the Conduit. If you have your own certificate signed by a root CA, you should be able to get that to work.

Jeff

[Author]

Posts