I've generated a self-signed cert using this scylla tutorial. Started a scylladb node, everything's fine and dandy.
Now it's time to connect clients. Here's the script:
from cassandra.cluster import Cluster
ssl_options = dict(
ca_certs='db.crt',
cert_reqs=False,
ssl_version=None,
keyfile=None,
certfile=None
)
cluster = Cluster(
['<my_ip>'], port=9142,
ssl_options=ssl_options
)
cluster.connect()
The db.crt
file is the PEM format certificate for the private key signed by the CA.
On Ubuntu 22.04
it works as expected. On windows 10 I get:
Traceback (most recent call last):
File "C:\Users\...", line 27, in <module>
cluster.connect()
File "cassandra\cluster.py", line 1734, in cassandra.cluster.Cluster.connect
File "cassandra\cluster.py", line 1770, in cassandra.cluster.Cluster.connect
File "cassandra\cluster.py", line 1757, in cassandra.cluster.Cluster.connect
File "cassandra\cluster.py", line 3573, in cassandra.cluster.ControlConnection.connect
File "cassandra\cluster.py", line 3618, in cassandra.cluster.ControlConnection._reconnect_internal
cassandra.cluster.NoHostAvailable: ('Unable to connect to any servers', {'<my_ip>': OSError(None, "Tried connecting to [('<my_ip>', 9142)]. Last error: timed out")})
I thought that this is a connectivity problem, but once I get rid of ssl_options
, it connects to the server successfully, but treats the incoming bytes wrongly, ending up with such error:
cassandra.cluster.NoHostAvailable: ('Unable to connect to any servers', {'<my_ip>': ProtocolError('This version of the driver does not support protocol version 21')})
So I'm able to reach the server. It seems like windows is treating the certificate the wrong way or something. What can it be?
P.S. There is also a deprecation warning: DeprecationWarning: Using ssl_options without ssl_context is deprecated and will result in an error in the next major release. Please use ssl_context to prepare for that release.
.
I've looked at the cqlshlib implementation, and it seems like it's still using the "deprecated" method of handling the ssl
.
How can one use SSLContext
instead?