starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Bug: generate-rsa-key-pair fails to authorize #1146

New Issue
Closed
opened 2025-12-29 16:29:24 +01:00 by adam · 6 comments
adam commented 2025-12-29 16:29:24 +01:00
Owner
Copy Link

Originally created by @cimnine on GitHub (Aug 4, 2017).

Issue type: Bug Report

Python version: 2.7
NetBox version: 2.1.1

When I access the API endpoint /api/secrets/generate-rsa-key-pair/, I only ever get the following response:

$ curl -H "Authorization: Token db5f9244f020abd5a1a4e1f22c50d0d621a7c867" -H "Accept: application/json; indent=2" https://netbox/api/secrets/generate-rsa-key-pair/
{
  "detail": "Authentication credentials were not provided."
}

When I access /api/dcim/devices/ the same way, all works as expected, so the token is at least valid:

$ curl -H "Authorization: Token db5f9244f020abd5a1a4e1f22c50d0d621a7c867" -H "Accept: application/json; indent=2" https://netbox/api/dcim/devices/
{
  "count": 48,
  "next": null,
  "previous": null,
  "results": [
    ...
  ]
}
Originally created by @cimnine on GitHub (Aug 4, 2017). ### Issue type: Bug Report **Python version:** 2.7 **NetBox version:** 2.1.1 When I access the API endpoint `/api/secrets/generate-rsa-key-pair/`, I only ever get the following response: $ curl -H "Authorization: Token db5f9244f020abd5a1a4e1f22c50d0d621a7c867" -H "Accept: application/json; indent=2" https://netbox/api/secrets/generate-rsa-key-pair/ { "detail": "Authentication credentials were not provided." } When I access `/api/dcim/devices/` the same way, all works as expected, so the token is at least valid: $ curl -H "Authorization: Token db5f9244f020abd5a1a4e1f22c50d0d621a7c867" -H "Accept: application/json; indent=2" https://netbox/api/dcim/devices/ { "count": 48, "next": null, "previous": null, "results": [ ... ] }
adam closed this issue 2025-12-29 16:29:24 +01:00
adam commented 2025-12-29 16:29:25 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Aug 4, 2017):

That's odd, it seems to work fine for me on v2.1.1. Is it possible that the authorization header is getting stripped by the httpd? That would explain the error you're getting. An invalid token will yield:

{
  "detail": "Invalid token"
}

What happens if you try the same request with a garbage token?

@jeremystretch commented on GitHub (Aug 4, 2017): That's odd, it seems to work fine for me on v2.1.1. Is it possible that the authorization header is getting stripped by the httpd? That would explain the error you're getting. An invalid token will yield: ``` { "detail": "Invalid token" } ``` What happens if you try the same request with a garbage token?
adam commented 2025-12-29 16:29:25 +01:00
Author
Owner
Copy Link

@cimnine commented on GitHub (Aug 4, 2017):

Turns out we don't even require authorisation. This ...

$ curl -H "Authorization: Token nothinguseful" -H "Accept: application/json; indent=2" https://netbox/api/dcim/devices/

... yields results, as well as ...

$ curl -H "Accept: application/json; indent=2" https://netbox/api/dcim/devices/

It's just /api/secrets/generate-rsa-key-pair and /api/secrets/get-session-key that behave different.

We have the following options set in our config:

ALLOWED_HOSTS = ['*']
DATABASE = { ... }
SECRET_KEY = 'blablabla'

Anything else is not configured and hence must be default values.

Would there be a quick way for me to check whether Netbox receives the Authorization header at all?

@cimnine commented on GitHub (Aug 4, 2017): Turns out we don't even require authorisation. This ... $ curl -H "Authorization: Token nothinguseful" -H "Accept: application/json; indent=2" https://netbox/api/dcim/devices/ ... yields results, as well as ... $ curl -H "Accept: application/json; indent=2" https://netbox/api/dcim/devices/ It's just `/api/secrets/generate-rsa-key-pair` and `/api/secrets/get-session-key` that behave different. We have the following options set in our config: ALLOWED_HOSTS = ['*'] DATABASE = { ... } SECRET_KEY = 'blablabla' Anything else is not configured and hence must be default values. Would there be a quick way for me to check whether Netbox receives the `Authorization` header at all?
adam commented 2025-12-29 16:29:25 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Aug 4, 2017):

By default, LOGIN_REQUIRED is not set, so most views (like /api/dcim/devices/) don't require authentication, and the passed token therefore isn't being validated. /api/secrets/generate-rsa-key-pair and /api/secrets/get-session-key always require authentication, which is why you're getting the error.

Can you provide your httpd (nginx/Apache) configuration?

@jeremystretch commented on GitHub (Aug 4, 2017): By default, `LOGIN_REQUIRED` is not set, so most views (like `/api/dcim/devices/`) don't require authentication, and the passed token therefore isn't being validated. `/api/secrets/generate-rsa-key-pair` and `/api/secrets/get-session-key` always require authentication, which is why you're getting the error. Can you provide your httpd (nginx/Apache) configuration?
adam commented 2025-12-29 16:29:26 +01:00
Author
Owner
Copy Link

@cimnine commented on GitHub (Aug 4, 2017):

I can, check out the gist.

It's somewhat redacted, but no Apache directives (besides some ServerAliases) have been removed.

The /api/ path is not affected by our SSO, which is based on the CAS protocol.

@cimnine commented on GitHub (Aug 4, 2017): I can, [check out the gist](https://gist.github.com/cimnine/379118bc2139c057d6444d03f8655775). It's somewhat redacted, but no Apache directives (besides some `ServerAlias`es) have been removed. The `/api/` path is not affected by our SSO, which is based on the [CAS protocol](https://en.wikipedia.org/wiki/Central_Authentication_Service).
adam commented 2025-12-29 16:29:26 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Aug 4, 2017):

According to the docs (I don't use Apache myself) you probably need:

    # Needed to allow token-based API authentication
    WSGIPassAuthorization on

Please try adding that to the VirtualHost config and restarting Apache.

@jeremystretch commented on GitHub (Aug 4, 2017): According to [the docs](http://netbox.readthedocs.io/en/stable/installation/web-server/#option-b-apache) (I don't use Apache myself) you probably need: ``` # Needed to allow token-based API authentication WSGIPassAuthorization on ``` Please try adding that to the VirtualHost config and restarting Apache.
adam commented 2025-12-29 16:29:26 +01:00
Author
Owner
Copy Link

@cimnine commented on GitHub (Aug 7, 2017):

Thanks, that was the missing piece.

@cimnine commented on GitHub (Aug 7, 2017): Thanks, that was the missing piece.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#1146
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?