How to debug "Could not send to Yeti" errors about fame HOT 8 CLOSED

Some additional information. If I look at the transaction in Chrome developer mode, then when I try to access:

https://{fame server}/{hash}/submit_iocs/Yeti

I get a "Method Not Allowed" message. But the user has all rights granted.

The nginx log indicates a 405 result, but it appears in the access rather than error log.

The service is runnning SSL and HTTP2.

from fame.

You are getting "Method Not Allowed" because this is supposed to be a POST, not a GET.

The first step to debug would be to open the Chrome Developer Tools, go on the Network tab and retry. Then, click on the submit_iocs request and copy the "Request" and "Response" content so that we can understand the issue.

Could you also provide the configuration of your Yeti module to see if there is something wrong with it ?

from fame.

The Yeti Module configuration is as follows:

https://REDACTED:8080/api/
username: fame
password: fame
api key: {key provided by Yeti}

Here is the chrome output. It appears that it is using a POST.

Request URL: https://REDACTED:8888/analyses/5bbfb9091194db41a970eba3/submit_iocs/Yeti
Request Method: POST
Status Code: 500
Remote Address: 172.23.28.110:8888
Referrer Policy: no-referrer-when-downgrade
content-length: 291
content-type: text/html
date: Mon, 15 Oct 2018 12:51:10 GMT
server: openresty/1.13.6.2
status: 500
:authority: REDACTED:8888
:method: POST
:path: /analyses/5bbfb9091194db41a970eba3/submit_iocs/Yeti
:scheme: https
accept: /
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
content-length: 85
content-type: application/json
cookie: csrftoken=MQVdTwtidirDxVR3MWR77mKnkk3KOuzakLYx1GiY7WqyraIsPmUmo4hYQtwi3DSG; sessionid=l1iqvdahla9voiu3p6k3i4qke1stjqs0; session=.eJxNTj1vgzAU_CuV5wyuCQtSBiQHBNJ7CGTH8lsiNaGAgYU0Cjjiv9fq1OGGu9N9vNn1e2kfPUt-lmd7YNfhzpI3-_hiCQOfchTowNcxzFpUsunpD2WPvoutSzeS2YQyja3IRjLlCPLiKC82UJmzvltJ4QAzRCjOL3Ca4wwx5eWEpuakbtzOeiWpVxAQ0ay3oIlKdRGaJvRlA4gixoDgHdFAFPgRVB1yl7BbTlYVnyCLE9sP7Plol___0ZQD-PuE6raCGnn4FVU5ORBnYU0zsX3_BdIlURs.DqKI4Q.n1Oz90-8QLMZZv_9x8aBmGDJCrY
origin: https://REDACTED:8888
referer: https://REDACTED:8888/analyses/5bbfb9091194db41a970eba3
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
x-requested-with: XMLHttpRequest
[{value: "http://crl.geotrust.com/crls/secureca.crl", sources: "cuckoo", tags: ","}]
0: {value: "http://crl.geotrust.com/crls/secureca.crl", sources: "cuckoo", tags: ","}

from fame.

The above says a status code of 500 but the logs actually say 405, which is consistent with the Method message.

from fame.

Well, I switched Yeti to also listen for unencrypted HTTP traffic and that seems to have fixed things when I reconfigured FAME to use the unencrypted port.

from fame.

This probably means there is an issue with your HTTPS configuration. Are you using a self-signed certificate ? If you do, you have two options:

• Use a certificate signed by a commonly trusted AC (such as LetsEncrypt)
• Add your local AC/certificate to the list of trusted certificate on every system hosting FAME components

from fame.

Yes, we are using self-signed certificates. And all systems are being fed by the same nginx server so there is a single cert and key declared in the http {} settings which should be common across all platforms.

from fame.

Here is some documentation on how requests (the lib used by FAME) performs SSL Certificate Validation.

In your case, you would need to use the REQUESTS_CA_BUNDLE environment variable to specify a certificate bundle that contains your self-signed certificate.

from fame.