Thanks for using the TrueNAS Community Edition issue tracker! TrueNAS Enterprise users receive direct support for their reports from our support portal.

Middlewared Mattermost Notifications Don't Respect Imported CAs

Description

The Mattermost alert python code imports the requests module. By default, the requests module ships with it’s own, internal trust store for trusted Certificate Authorities. Because of this, mattermost alert notifications that are sent to a self hosted server using an internal or self signed CA will always fail, even if a user has imported the CA to the CA section of the TrueNAS GUI. I have tested on a local system, and adding the “verify” parameter to the post request inside the /usr/local/lib/python3.9/site-packages/middlewared/alert/service/mattermost.py file successfully allows for a mattermost notification to an internal CA after a restart of the middlewared service. I will leave it up to you on how best to implement the correct fix so that the entire system truststore is used (if desired) or at the very least, trust the truenas_cacerts.pem file. Sample code for the post request in the send_sync function:

def send_sync(self, alerts, gone_alerts, new_alerts): r = requests.post( self.attributes["url"], headers={"Content-type": "application/json"}, data=json.dumps({ "username": self.attributes["username"], "channel": self.attributes["channel"], "icon_url": self.attributes["icon_url"], "text": self._format_alerts(alerts, gone_alerts, new_alerts), }), verify="/etc/ssl/truenas_cacerts.pem", timeout=INTERNET_TIMEOUT, ) r.raise_for_status()

Specifically, line 11 above is what I added to allow the imported CA to be trusted for Mattermost alerts.

Problem/Justification

None

Impact

None

Attachments

1
  • 27 Dec 2023, 04:19 PM

Activity

Show:

Bug Clerk January 14, 2024 at 2:46 PM

This issue has now been closed. Comments made after this point may not be viewed by the TrueNAS Teams. Please open a new issue if you have found a problem or need to re-engage with the TrueNAS Engineering Teams.

Bug Clerk January 10, 2024 at 8:21 PM

Bonnie Follweiler December 29, 2023 at 7:11 PM

Good Afternoon .

I have moved this ticket into our queue to review.

An engineering representative will update with any further questions or details in the near future.

Nate Moyer December 29, 2023 at 6:11 PM

Apologies, but I will not be submitting a debug file for this ticket due to lack of confidence in api and webhook secrets being stripped out of the output. I have detailed the issues and a possible solution (leaving it to your team to create an appropriate integration). If you need any additional information, I will be glad to provide it. I did include a snippet of the middlewared.log file with the detailed error message as an attachment to this ticket.

Bonnie Follweiler December 27, 2023 at 6:32 PM

Good Afternoon .

Please upload a debug file from the affected system to our secure and private upload service located at https://ixsystems.atlassian.net/servicedesk/customer/portal/15/group/37/create/153?

Thank you.

Complete
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Impact

Low

Time remaining

0m

Components

Affects versions

Priority

Katalon Platform

Created December 27, 2023 at 3:55 PM
Updated February 6, 2024 at 4:35 PM
Resolved January 14, 2024 at 2:46 PM