Unable to connect to OMERO.server via API on Windows

Hi there,

I’ve installed OMERO.server and I’m able to connect to it using the API on Linux and MacOS, but not Windows. I’ve deployed the server using the docker container. Are there special cipher settings I need to put in place to get Windows to connect properly?

Thanks!
B

Hi @broarr. Welcome to image.sc!

Sounds very much like you’ve run into:

Perhaps try omero-certificates and let us know if it works for you?
~J

I tried extending the docker container using the following Dockerfile to generate the certificates and then checked if I could auth via Windows and I haven’t had any luck yet.

FROM openmicroscopy/omero-server:5.6.1

USER root
RUN source /opt/omero/server/venv3/bin/activate \
    && pip install omero-certificates

USER omero-server
RUN /opt/omero/server/OMERO.server/bin/omero certificates

I can assert that the certs are in place correctly. Here’s my omero config get results:

omero.certificates.commonname=localhost
omero.certificates.key=server.key
omero.certificates.owner=/L=OMERO/O=OMERO.server
omero.data.dir=/OMERO
omero.db.host=postgres
omero.db.name=omero
omero.db.pass=********
omero.db.user=omero
omero.glacier2.IceSSL.CAs=server.pem
omero.glacier2.IceSSL.CertFile=server.p12
omero.glacier2.IceSSL.Ciphers=HIGH
omero.glacier2.IceSSL.DefaultDir=/OMERO/certs
omero.glacier2.IceSSL.Password=********
omero.glacier2.IceSSL.ProtocolVersionMax=TLS1_2
omero.glacier2.IceSSL.Protocols=TLS1_0,TLS1_1,TLS1_2
omero.web.debug=true
omero.web.login_logo=https://placekitten.com/g/450/150
omero.web.public.enabled=true
omero.web.public.password=********
omero.web.public.user=admin

I’ve tested using this little test suite on MacOS and it works fine. Same test suite fails on Windows 10 (virtual machine, but I don’t think that should matter).

Any other ideas?

Hi! Please could you:

  • Tell us how you created your Windows Python environment
  • Try the script mentioned in OMERO CLI import error with the addition of the mentioned Ice debug logging?

Thanks!

I set up my python environment on Windows via NuGet. I ran:

choco install python

Once I got python installed, I installed poetry via their documentation and added the omero libraries via poetry.

I’ve added the Ice debug logging, but it seems to make things worse. Now when I call the connect() method on the connection object I’m getting an exception. Here’s the link to the new code:

Here’s the exception I’m getting from my connection code:

DEBUG:omero.gateway:connect(): Traceback (most recent call last):
  File "/Users/broarr/src/riddc/omero-test/.venv/lib/python3.7/site-packages/omero/clients.py", line 297, in _initData
    self.__ic = Ice.initialize(id)
  File "/Users/broarr/src/riddc/omero-test/.venv/lib/python3.7/site-packages/Ice.py", line 705, in initialize
    communicator = IcePy.Communicator(args, data)
Ice.EndpointParseException: exception ::Ice::EndpointParseException
{
    str = unrecognized argument `not' in endpoint `ssl -p 4064 -h <"omero.host" not set>'
}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/broarr/src/riddc/omero-test/.venv/lib/python3.7/site-packages/omero/gateway/__init__.py", line 2211, in connect
    self._resetOmeroClient()
  File "/Users/broarr/src/riddc/omero-test/.venv/lib/python3.7/site-packages/omero/gateway/__init__.py", line 2145, in _resetOmeroClient
    args=['--Ice.Config='+','.join(self.ice_config)])
  File "/Users/broarr/src/riddc/omero-test/.venv/lib/python3.7/site-packages/omero/__init__.py", line 67, in client
    return omero.clients.BaseClient(*args, **kwargs)
  File "/Users/broarr/src/riddc/omero-test/.venv/lib/python3.7/site-packages/omero/clients.py", line 170, in __init__
    self._initData(id)
  File "/Users/broarr/src/riddc/omero-test/.venv/lib/python3.7/site-packages/omero/clients.py", line 301, in _initData
    raise omero.ClientError(msg)
omero.ClientError: No host specified. Use omero.client(HOSTNAME), ICE_CONFIG, or similar.

INFO:omero.gateway:closed connection (uuid=None)
Traceback (most recent call last):
  File "./connect.py", line 42, in <module>
    main()
  File "./connect.py", line 39, in main
    assert connection_test(args.username, args.password, args.host, args.port, args.secure)
AssertionError

Any ideas on what I’m doing wrong?

EDIT: These logs are coming from MacOS. I’ll post windows seperately

When I uncomment these lines and rebuild/redploy my docker container I’m unable to connect via the web interface.

Is there something else I need to do to get the certificates working properly from within the docker container?

Your print(f'connecting to {host}:{port} secure={secure}') statement doesn’t appear in the logs. The exception you listed here (including 'not' in endpoint) would point to omero.host not being properly passed/set.

Hmm… that sounds surprising. I built your containers locally (with the comments) and they ran for me. Is it possible that you needed to run docker-compose build?

I did notice that your web container shows:

omeroweb_1     | UnicodeEncodeError: 'ascii' codec can't encode character '\xe5' in position 3435: ordinal not in range(128)
...
omeroweb_1     | Traceback (most recent call last):
omeroweb_1     |   File "/opt/omero/web/venv3/lib64/python3.6/site-packages/django/template/base.py", line 896, in _resolve_lookup
omeroweb_1     |     current = current[int(bit)]
omeroweb_1     | ValueError: invalid literal for int() with base 10: 'public_enabled'
omeroweb_1     |
omeroweb_1     | During handling of the above exception, another exception occurred:
omeroweb_1     |
omeroweb_1     | Traceback (most recent call last):
omeroweb_1     |   File "/opt/omero/web/venv3/lib64/python3.6/site-packages/django/template/base.py", line 903, in _resolve_lookup
omeroweb_1     |     (bit, current))  # missing attribute
omeroweb_1     | django.template.base.VariableDoesNotExist: Failed lookup for key [public_enabled] in '[{\'True\': True, \'False\': False, \'None\': None}, {\'csrf_token\': <SimpleLazyObj

But I don’t see a cause offhand.

~Josh

Thanks for your reply!

If I run my test scripts (after building with docker-compose build --no-cache), and I run them solo (without pytest) I get the following output:

CIS2L0CFHV2J:omero-test broarr$ poetry run ./connect.py -H 127.0.0.1 -p 4064 -s root root
connecting to 127.0.0.1:4064 secure=True
-- 05/01/20 09:28:16.756 --IceSSL.Trace.Security=1: Security: enabling SSL ciphersuites:
    ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    ECDHE_RSA_WITH_AES_256_GCM_SHA384
    ECDHE_RSA_WITH_AES_256_CBC_SHA384
    ECDHE_RSA_WITH_AES_256_CBC_SHA
    ECDH_ECDSA_WITH_AES_256_GCM_SHA384
    ECDH_ECDSA_WITH_AES_256_CBC_SHA384
    ECDH_ECDSA_WITH_AES_256_CBC_SHA
    ECDH_RSA_WITH_AES_256_GCM_SHA384
    ECDH_RSA_WITH_AES_256_CBC_SHA384
    ECDH_RSA_WITH_AES_256_CBC_SHA
    DHE_RSA_WITH_AES_256_GCM_SHA384
    DHE_RSA_WITH_AES_256_CBC_SHA256
    DHE_RSA_WITH_AES_256_CBC_SHA
    RSA_WITH_AES_256_GCM_SHA384
    RSA_WITH_AES_256_CBC_SHA256
    RSA_WITH_AES_256_CBC_SHA
    TLS_AES_256_GCM_SHA384
    DH_anon_WITH_AES_256_GCM_SHA384
    DH_anon_WITH_AES_256_CBC_SHA256
    DH_anon_WITH_AES_256_CBC_SHA
    PSK_WITH_AES_256_CBC_SHA384
    PSK_WITH_AES_256_CBC_SHA
    DH_anon_WITH_AES_128_GCM_SHA256
    DH_anon_WITH_AES_128_CBC_SHA256
    DH_anon_WITH_AES_128_CBC_SHA
Traceback (most recent call last):
  File "./connect.py", line 42, in <module>
    main()
  File "./connect.py", line 39, in main
    assert connection_test(args.username, args.password, args.host, args.port, args.secure)
  File "./connect.py", line 14, in connection_test
    session = client.createSession(username, password)
  File "/Users/broarr/src/riddc/omero-test/.venv/lib/python3.7/site-packages/omero/clients.py", line 653, in createSession
    prx = rtr.createSession(username, password, ctx)
  File "/Users/broarr/src/riddc/omero-test/.venv/lib/python3.7/site-packages/Glacier2_Router_ice.py", line 258, in createSession
    return _M_Glacier2.Router._op_createSession.invoke(self, ((userId, password), _ctx))
Ice.ConnectionLostException: Ice.ConnectionLostException:
recv() returned zero
!! 05/01/20 09:28:16.842 error: communicator not destroyed during global destruction.

I’m definitely getting a different error, but my API client (and my web interface) cannot connect to OMERO.server. Do I need to do anything other than running omero certificates in my OMERO.server? Or should the omero certificates command generate certs that just work?

The error you see in the web logs I see as well on production. I suspect it’s because I’ve enabled django debug logs for OMERO.web. It hasn’t caused us any problems, it just scares me :wink:

The default for omero-certificates is to write them to a subdirectory of your omero.data.dir- this is something we’ll review as part of our future certificate work.

Since the OMERO data directory is only mounted at runtime not build time your certificates are effectively written to a directory that is then lost. For now you could either set omero.glacier2.IceSSL.DefaultDir to a directory inside the Docker image, or alternatively run the plugin at run-time.

1 Like

Moving the certs directory worked great, though I had to remove the debugging. Something about the debugging statements I had before broke my connection with the following error:

DEBUG:omero.gateway:connect(): Traceback (most recent call last):
  File "/Users/broarr/src/riddc/omero-test/.venv/lib/python3.7/site-packages/omero/clients.py", line 297, in _initData
    self.__ic = Ice.initialize(id)
  File "/Users/broarr/src/riddc/omero-test/.venv/lib/python3.7/site-packages/Ice.py", line 705, in initialize
    communicator = IcePy.Communicator(args, data)
Ice.EndpointParseException: exception ::Ice::EndpointParseException
{
    str = unrecognized argument `not' in endpoint `ssl -p 4064 -h <"omero.host" not set>'
}

During handling of the above exception, another exception occurred:

Reverting back to only the BlitzGateway connection worked like a charm.

$ poetry run python connect.py -H 10.211.55.2 -p 4064 -s root root
connecting to 10.211.55.2:4064 secure=True
DEBUG:omero.gateway:Connect attempt, sUuid=None, group=None, self.sUuid=None
DEBUG:omero.gateway:Creating Session...
DEBUG:omero.gateway.utils:Setting 'omero.client.uuid' to 'c811d163-815d-439d-869f-6c2aa4b93d6f'
DEBUG:omero.gateway.utils:Setting 'omero.event' to 'Internal'
DEBUG:omero.gateway.utils:Setting 'omero.session.uuid' to '1218d885-6218-441c-a872-eb5c1592f84b'
DEBUG:omero.gateway.utils:Key 'omero.group' not found in <ServiceOptsDict: {'omero.client.uuid': 'c811d163-815d-439d-869f-6c2aa4b93d6f', 'omero.event': 'Internal', 'omero.session.uuid': '1218d885-6218-441c-a872-eb5c1592f84b'}>
DEBUG:omero.gateway.utils:Key 'omero.user' not found in <ServiceOptsDict: {'omero.client.uuid': 'c811d163-815d-439d-869f-6c2aa4b93d6f', 'omero.event': 'Internal', 'omero.session.uuid': '1218d885-6218-441c-a872-eb5c1592f84b'}>
DEBUG:omero.gateway:Session created
DEBUG:omero.gateway:## Creating proxies
INFO:omero.gateway:created connection (uuid=1218d885-6218-441c-a872-eb5c1592f84b)
DEBUG:omero.gateway:.. connected!
INFO:omero.gateway:closed connection (uuid=1218d885-6218-441c-a872-eb5c1592f84b)

I’ve updated my test repository for completeness. Thanks for all your help!