add --no-verify-ssl flag for ufo commands

[aaronlippold]

Would it be possible to add a --no-verify-ssl flag to the cli so that use of ufo behind ssl proxies in corporate environments would be much more useful.

This is the error that I am getting when I have the proxy turned.

➜  variables git:(ufo-deploy) ✗ ufo init --launch-type ec2 --image=mitre/heimdall
Traceback (most recent call last):
	60: from /Users/aaronl/.rbenv/versions/2.6.3/bin/ufo:23:in `<main>'
	59: from /Users/aaronl/.rbenv/versions/2.6.3/bin/ufo:23:in `load'
	58: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/ufo-4.5.7/exe/ufo:14:in `<top (required)>'
	57: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'
	56: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/ufo-4.5.7/lib/ufo/command.rb:43:in `dispatch'
	55: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'
	54: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'
	53: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'
	52: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor.rb:40:in `block in register'
	51: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/invocation.rb:115:in `invoke'
	50: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/group.rb:232:in `dispatch'
	49: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/invocation.rb:133:in `invoke_all'
	48: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/invocation.rb:133:in `map'
	47: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/invocation.rb:133:in `each'
	46: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/invocation.rb:133:in `block in invoke_all'
	45: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'
	44: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'
	43: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/ufo-4.5.7/lib/ufo/init.rb:52:in `set_network_options'
	42: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/ufo-4.5.7/lib/ufo/network/helper.rb:10:in `configure_network_settings'
	41: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/memoist-0.16.0/lib/memoist.rb:170:in `vpc_id'
	40: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/ufo-4.5.7/lib/ufo/network/fetch.rb:15:in `vpc_id'
	39: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-ec2-1.102.0/lib/aws-sdk-ec2/client.rb:21765:in `describe_vpcs'
	38: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/seahorse/client/request.rb:70:in `send_request'
	37: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/seahorse/client/plugins/response_target.rb:23:in `call'
	36: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/response_paging.rb:10:in `call'
	35: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/param_converter.rb:24:in `call'
	34: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/idempotency_token.rb:17:in `call'
	33: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:20:in `call'
	32: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/seahorse/client/plugins/raise_response_errors.rb:14:in `call'
	31: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/param_validator.rb:24:in `call'
	30: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/seahorse/client/plugins/endpoint.rb:45:in `call'
	29: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/endpoint_discovery.rb:78:in `call'
	28: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/endpoint_pattern.rb:28:in `call'
	27: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/user_agent.rb:13:in `call'
	26: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/query/handler.rb:28:in `call'
	25: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/retry_errors.rb:178:in `call'
	24: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/retry_errors.rb:190:in `retry_if_possible'
	23: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/retry_errors.rb:207:in `retry_request'
	22: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/retry_errors.rb:178:in `call'
	21: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/retry_errors.rb:190:in `retry_if_possible'
	20: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/retry_errors.rb:207:in `retry_request'
	19: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/retry_errors.rb:178:in `call'
	18: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/retry_errors.rb:190:in `retry_if_possible'
	17: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/retry_errors.rb:207:in `retry_request'
	16: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/retry_errors.rb:176:in `call'
	15: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/helpful_socket_errors.rb:10:in `call'
	14: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/transfer_encoding.rb:26:in `call'
	13: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/plugins/signature_v4.rb:66:in `call'
	12: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/aws-sdk-core/xml/error_handler.rb:8:in `call'
	11: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/seahorse/client/plugins/content_length.rb:17:in `call'
	10: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/seahorse/client/net_http/handler.rb:47:in `call'
	 9: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/seahorse/client/net_http/handler.rb:73:in `transmit'
	 8: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/seahorse/client/net_http/handler.rb:121:in `session'
	 7: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/seahorse/client/net_http/connection_pool.rb:96:in `session_for'
	 6: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/aws-sdk-core-3.61.2/lib/seahorse/client/net_http/connection_pool.rb:297:in `start_session'
	 5: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/2.6.0/delegate.rb:83:in `method_missing'
	 4: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/2.6.0/net/http.rb:925:in `start'
	 3: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/2.6.0/net/http.rb:930:in `do_start'
	 2: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/2.6.0/net/http.rb:996:in `connect'
	 1: from /Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/2.6.0/net/protocol.rb:44:in `ssl_socket_connect'
/Users/aaronl/.rbenv/versions/2.6.3/lib/ruby/2.6.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) (Seahorse::Client::NetworkingError)

[tongueroo]

Wondering if we should try this instead:

Aws.use_bundled_cert!

amazon-archives/aws-sdk-core-ruby#166

[aaronlippold]

That might work as well. I'm happy to test it out.

…

On Fri, Sep 27, 2019, 5:05 PM Tung Nguyen ***@***.***> wrote: Wondering if we should try this instead: Aws.use_bundled_cert! amazon-archives/aws-sdk-core-ruby#166 <amazon-archives/aws-sdk-core-ruby#166> — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#89>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AALK42EYKBAPW7ZDKUUXI43QLZYSNANCNFSM4I3KYMYQ> .

[tongueroo]

Cool. Unsure when will take a look at this. Will consider PRs. No sweat either way though. Thanks!

[aaronlippold]

I will start poking at where in the code now.

[aaronlippold]

It turns out the real solution is to work out which certs were missing from the ruby and openssl certificate chains and fold them into the PEM.

The Aws.use_bundled_cert! actually seemed to cause issues when I added it to the lib/aws_service.rb and once I had the right corporate certs append everything worked without any need to update the core code. In fact, after setting up the certificates correctly, adding the use_bundled_cert! made things no longer work.

[aaronlippold]

I still having trouble starting the service even on EC2

…

On Sat, Sep 28, 2019, 3:00 PM Tung Nguyen ***@***.***> wrote: Closed #89 <#89> via #91 <#91>. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#89>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AALK42A4X2IM2DRSOJNXH43QL6SVZANCNFSM4I3KYMYQ> .

[tongueroo]

Like ECS service 🤔 If so, wondering what the EC2 console events tab say?

Or is it the ufo init command?

[aaronlippold]

I'll send some screenshots or I'll send you a zoom. Out to dinner with my daughter at the moment ;)

…

On Sat, Sep 28, 2019, 7:21 PM Tung Nguyen ***@***.***> wrote: Wondering what the EC2 console events tab say? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#89>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AALK42EIPURM6WR2D6MSAS3QL7RF7ANCNFSM4I3KYMYQ> .

[aaronlippold]

f800e563-24dc-4b03-967c-72a2cc7dddae
2019-09-28 23:15:40 -0400
service heimdall-web-test2-Ecs-15R2B9BSYGESW was unable to place a task because no container instance met all of its requirements. The closest matching container-instance 8a0fd585-a1a3-419a-b16d-4fbaac778061 is missing an attribute required by your task. For more information, see the Troubleshooting section.

[aaronlippold]

{
  "family": "heimdall-web",
  "networkMode": "awsvpc",
  "executionRoleArn": "arn:aws:iam::123456789123:role/ecsTaskExecutionRole",
  "containerDefinitions": [
    {
      "name": "web",
      "image": "mitre/heimdall:ufo-2019-09-28T23-12-03-376b007",
      "cpu": 256,
     # needed for the big asset precompile
      "memory": 2048,
      "memoryReservation": 2048,
      "portMappings": [
        {
          "containerPort": 3000,
          "protocol": "tcp"
        }
      ],
      "command": [
        "sh",
        "-c",
        "bin/web"
      ],
      "environment": [
        {
          "name": "DATABASE_URL",
          "value": "postgres://user:[email protected]:5432/heimdall_prod"
        },
        {
          "name": "SECRET_KEY_BASE",
          "value": "zzz"
        },
        {
          "name": "CIPHER_PASSWORD",
          "value": "yyy"
        },
        {
          "name": "CIPHER_SALT",
          "value": "xxx"
      ],
      "logConfiguration": {
        "logDriver": "awslogs",
        "options": {
          "awslogs-group": "ecs/heimdall-web",
          "awslogs-region": "us-east-1",
          "awslogs-stream-prefix": "heimdall"
        }
      },
      "essential": true
    }
  ]
}

[aaronlippold]

The repo is here : https://github.com/mitre/heimdall/tree/ufo-deploy/.ufo

[aaronlippold]

Does that give you what you were looking for?

[tongueroo]

Not really. Think this issue is specific to the ECS cluster setup, not ufo itself. So will close out.

Here are some ideas to help though. Have seen the "missing an attribute required by your task" error before. There can be many reasons, it really depends on the setup.

• Search results usually mention using a logdriver that is not enabled on the ECS Container instance. The task definition in your example is using the cloudwatch driver though. So that's not it.
• A shot in the dark guess here. Gut tells me that the ECS container instance in the cluster is not in the same VPC or subnet as the deployed ECS task. Would double check that.

Hope that helps.

[aaronlippold]

Ok. I will look into that. Anything pop out at you in the way I have the .ufo files configured above in the heimdall repo?

[tongueroo]

These look like the default VPC settings https://github.com/mitre/heimdall/blob/ufo-deploy/.ufo/settings/network/default.yml

That’s why am thinking that the ECS Container Instance that is register to the ECS cluster is probably running on a different VPC or Subnets. Unsure though because it can be a different reason. Would double check the EC2 instances themselves.

[aaronlippold]

Thanks for taking a look. I will look into that and see if I can get things working. Thanks again

…

On Wed, Oct 2, 2019, 9:19 AM Tung Nguyen ***@***.***> wrote: These look like the default VPC settings https://github.com/mitre/heimdall/blob/ufo-deploy/.ufo/settings/network/default.yml That’s why am thinking that the ECS Container Instance that is register to the ECS cluster is probably running on a different VPC or Subnets. Unsure though because it can be a different reason. Would double check the EC2 instances themselves. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#89>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AALK42B5MNVHPASSQMIBYULQMSNW7ANCNFSM4I3KYMYQ> .