cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
340
Views
5
Helpful
6
Replies
Highlighted
Participant

What is Restconf HTTP port on XE sandbox

I am trying to run a test case on XE sandbox. When I try to access documented Restconf port, I am getting that the port is used for HTTPS. But YDK does not support HTTPS protocol (known limitation). Is there a port assigned for unsecured HTTP protocol?

My script to connect:

from ydk.providers import RestconfServiceProvider
from ydk.types import EncodingFormat
from ydk.path import Repository

from ydk.models import openconfig as oc

repo = Repository(oc.__path__[0]+'/_yang')
provider = RestconfServiceProvider(
repo,
'ios-xe-mgmt.cisco.com',
'developer',
'C1sco12345',
9443,
EncodingFormat.JSON)

 I am getting this error:

(venv) Yans-Air:ydk-gen ygorelik$ python scripts/community/xe_restconf_interface.py 
2020-06-23 14:57:03,847 - ydk - INFO - Unable to retrieve restconf root. Assuming '/restconf' as the root
2020-06-23 14:57:03,847 - ydk - INFO - Ready to communicate with http://ios-xe-mgmt.cisco.com:9443/restconf using http
2020-06-23 14:57:05,918 - ydk - ERROR - Operation did not succeed. Got response: 400 : <html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx</center>
</body>
</html>

Traceback (most recent call last):
File "scripts/community/xe_restconf_interface.py", line 41, in <module>
EncodingFormat.JSON)
RuntimeError: YServiceProviderError: Operation did not succeed. Got response: 400 : <html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx</center>
</body>
</html>

 Please share your experience of using Restconf with Cisco sandboxes .

Yan Gorelik
YDK Solutions
6 REPLIES 6
Highlighted
Cisco Employee

Hi Yan,

I can see that WebUI over HTTP just works but when it comes to restconf it doesn't. From documentation it seems to me that:

conf t
ip http server no ip http secure-server
restconf end

should do the trick and you could use port 80 to connect via restconf. However I had no luck and that's why I was asking to the community a couple of weeks ago. I found a workaround to that, it's not nice but it works. I used a local instance of NGINX working as a HTTPS reverse-proxy, configuration is like this:

events {
}
http {
    server {
        listen 80;
        listen [::]:80;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        location / {
            proxy_pass https://<my_target_ip_address>:443;
        }
    }
}

Hope this helps!

 

If you manage to get HTTP direct connectivity please post a message here. I would be very interested into it!

 

Val

Highlighted

Hi Yan,

 

Can you use NETCONF instead of RESTCONF when YDK talking to Sandbox ?

 

Sandbox

CSR1000V Host: ios-xe-mgmt-latest.cisco.com
SSH Port: 8181
NETCONF Port: 10000
RESTCONF Ports: 9443 (HTTPS)
Username: developer
Password: C1sco12345

Jacky Zhang
Global Telecom
Highlighted

Hi Jacky

The root cause of the issue was protocol HTTPS, which was not supported by YDK-0.8.4 (see issue #917). As of 0.8.5 that issue has been partially resolved (permanently disabled peer and host name verification). I have used the sandbox to debug and test newly developed code.

Thank you.

Yan Gorelik
YDK Solutions
Highlighted

Hi Yan,

 

Now I got your point.  

 

I am glad to see your testing is successful now.

 

BR

Jacky

Jacky Zhang
Global Telecom
Highlighted

Hello Yan,

I'm trying this with python but I'm getting this error when I instantiate the RestconfServiceProvider:

RuntimeError: YClientError: Peer certificate cannot be authenticated with given CA certificates

 

My understanding is that certificate validation on client should be skipped.

 

I can see here https://github.com/CiscoDevNet/ydk-gen/blob/11fe46d83358b6c55a2907d19695aa192ab4e5d9/sdk/cpp/core/src/restconf_client.cpp#L150 that I could probably hit:

 

curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);

curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);

 

Possibly because we don't pass ssl_options here: https://github.com/CiscoDevNet/ydk-gen/blob/1020e483853de9195375a8f5be2a203f050c3a7e/sdk/cpp/core/src/restconf_session.cpp#L65

 

Is there a way to totally skip certificate validation?

 

Thanks,

Val

Highlighted

Ok forget about this, apparently it was still running with 0.8.4