TLS & SNI Problem: cannot connect to Puppet Server after Wechaty 1.0 migiration #190
Labels
question
Further information is requested
Comments
|
Could you please try the next version of wechaty and post your minimum reproducible code with steps? |
|
Sure thing. example code: import { WechatyBuilder } from 'wechaty'
import PuppetMock from 'wechaty-puppet-mock'
import { PuppetServer, PuppetServerOptions} from 'wechaty-puppet-service'
async function main() {
const host = '0.0.0.0'
const port = '8788'
const serverOptions = {
endpoint: `${host}:${port}`,
puppet: new PuppetMock(),
token: 'puppet_test_whatsoever'
} as PuppetServerOptions
const puppetServer = new PuppetServer(serverOptions)
await puppetServer.start()
const bot = WechatyBuilder.build({
puppet: 'wechaty-puppet-service',
puppetOptions: {
endpoint: `${host}:${port}`,
token: 'puppet_test_whatsoever',
}
})
bot.start()
await new Promise(resolve => {
setTimeout(resolve, 3600)
})
}
main() |
|
full log: |
|
It seems you want to run some code very like (almost the same) https://github.com/wechaty/puppet-service/blob/main/tests/integration.spec.ts Can you run this unit test in your environment and see if it works for you? Please also pay attention to the below code: puppet-service/tests/grpc-stream.spec.ts Lines 34 to 43 in 32d400f Server Name Indication (SNI) in Wechaty Puppet Service Token (WPST) in v1.xThe Wechaty v1.x ecosystem enforces the Wechaty Puppet Service Token (WPST) to have a Server Name Indication (SNI) so that the TLS can be enabled by default.
This means that, if the Puppet Service wants to enable the TLS, it needs to have a signed CA for its SNI. For example, the WXWork token can be named as Tip: we have a token helper named wechaty-token, learn more at https://github.com/wechaty/token Action List
CC @windmemory for the SNI information. |
huan
changed the title
|
Indeed they are almost identical since I use puppet-mock to rule-out the possible problem of the puppet module. And yes the unit test passes. I also tried to rerun my code after changing token to 'insecure_testtoken' and the problem solved. For the SNI issue, I think that's beyond my pay grade LOL. I'll keep them updated. |
|
Glad to know that your issue has been solved. And we can confirm this is a SNI issue, we can keep eyes on it for the future works. |
|
Is there any rules about SNI naming? I mean can there be a underline in SNI, so that we can continue using puppet_wxwork as SNI? |
|
Thanks for asking! The SNI is designed with the following rules:
CC @wechaty/puppet @wechaty/polyglot |
|
That should be already supported out-of-the-box. The Wechaty community will use the private CA to sign a I'm planning to design a form so that the puppet service providers in our community can submit applications via it, please stay tuned. |
|
Sorry, there seems to be something wrong with puppet_wxwork support. I started a wxwork puppet locally, and set it up with different tokens, then connect it with puppet-service.
puppet_wxwork_782b1da6e5d0f694 is generated by our current token generator, and puppet_wxwork_a69954dd-432d-4562-87af-856a638190f0 is generated by wechaty-token |
|
It will be expected to not work because you have no valid CA with SNI In order to make it work, you must obtain the signed CA with SNI I'll try to generate one and send it to you for testing purposes later. |
|
Hello @huan , sorry to bother you, but how is the CA generating going? |
|
@hcfw007 I have sent the generated CA to @windmemory as an email, please ask him to forward it to you. (because I haven't your email address) Feel free to let me know if you have any questions by comment this issue. |
|
How should I use this CA? |
|
Please refer to my email, thank you very much. |
|
Have we tested the CA already or not? Please let me know the process and I'd like to help. Thanks. |
|
Not yet. So far we focus on functionality test with TLS disabled. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Recently we are testing our puppet with wechaty 1.0. The puppet-side migration went well, now it's running wechaty-io-client with [email protected] and [email protected].
However when I try to connect the puppet using a bot with [email protected] (which comes with [email protected]), it always throw a No connection established error. The server side should be fine since the server started log did show up:
Here's the error from client:
The text was updated successfully, but these errors were encountered: