I'm trying to use a certificate without success. I'm using it like this:
r = requests.get('https://server:8443/teste', auth=HTTPBasicAuth('USER', 'PASSWORD'), verify='/home/path/certificate.crt')
and I got the error:
requests.exceptions.SSLError:
HTTPSConnectionPool(host='server', port=8443): Max
retries exceeded with url: /teste (Caused by
SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate
verify failed (_ssl.c:590)'),))
However I'm able to use the certificate with curl(if this help identifying the problem):
curl -s --cacert /home/path/certificate.crt -u USER:PASSWORD https://server:8443/teste
Can you help me make this work with the certificate?
Related
Environment: Azure Kubernetes Cluster
Container: Dotnetcore 2.2 Linux
The dot-net core application was able to query the external partner API endpoint but suddenly it started throwing the below is the mentioned exception
ExceptionId: c6c603bb-91cc-4556-98bf-d747903f522a. Error Message: The SSL connection could not be established, see inner exception.. Error Details: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Also tried the curl command from inside busybox pod and getting this error
Curl command : curl --location --request GET 'external url' --header 'Authorization: token'
Error:
curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Note:
Other partner API calls are working fine, except this particular partner but the curl from the local system is working. From Pod, it is throwing an error.
What can be the issue:
External partner SSL expired. Which the partner is saying that it has not
External partner SSL is cached and now invalid in Kubernetes
Kubernetes configuration is the problem. What can be the correct one
I have a website that is hosted behind company's network. You could only connect to it using the client.crt and client.key. This client.crt is signed by a self signed ca.crt which is referenced in the apache config file.
I installed the server certificate (servercrt.crt) on my machine and can make a curl request with no issues:
curl https://my_url.com:53234 --cert path/to/client.crt --key path/to/client.key
I also imported the client.crt in the browser. When navigate to the url the browser asks to select the client certificate. Once selected the right client certificate, it opens up the page without issues.
However, I have problems with python. When I try to connect using python:
import requests
clientcertfile = './client.crt'
clientcertkeyfile = './client.key'
servercert = './servercert.pem'
requests.get(url='https://my_url.com:53234, cert= (clientcertfile, clientcertkeyfile), verify = servercert)
I get the following error:
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')
But, I can connect to this url when set the verify=False which I don't want. The requests package just displays a warning that its better not to set the verify=False option.
I have looked at here, here and here but no joy.
Any ideas?
Apparently, I was using the wrong ca.crt for the server. Once I replaced it with the right certificate. It fixed the issue.
#Steffen's comment helped solved the issue.
I need to get information about a VM using curl with REST calls. I have this information where 1701 is the VM ID
GET /api/v1/vms/1701 HTTP/1.1
Host: vmlam.ral.sf.com
Authorization: Token token=4210
I tried this in cygwin but it did not work
c:/curl-7.69.0-win64-mingw/bin/curl -X GET -d '{Authorization: Token token=4210}' 'https:/vmlam.ral.sf.com//api/v1/vms/1701'
curl: (60) SSL certificate problem: unable to get local issuer
certificate More details here: curl.haxx.se/docs/sslcerts.html curl
failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this
situation and how to fix it, please visit the web page mentioned
above.
That seems like a certificate issue, you can skip the check with the option -k (or --insecure)
From curl documentation (man curl):
-k, --insecure
(TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections other‐
wise considered insecure.
The server connection is verified by making sure the server's certificate contains the right name and verifies successfully using the cert store.
See this online resource for further details:
https://curl.haxx.se/docs/sslcerts.html
See also --proxy-insecure and --cacert.
I am disabling certificate verification using the following command:
getsessionkey = requests.post(AUTH_URL, headers=headers, data=data, verify=False)
I use above command in a script that calls an API to retrieve data from it. When I run my script, I have the following error:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
I understand from that error that the script could not verify the distant's API certificate. But I am explicitely disabling the verification, I am at loss as to how to interpret this.
If the problem cannot be resolved, how can I add my certificate to the certificate truststore?
P.S: Disabling certificate verification has always worked for me so far. I started to have the error above since a recent security update.
Thanks for helping.
I want to use Cloudify 3.1 with my Openstack in my company.
Unfortunately, I had the prolem that the keystone authentication failed.
When I see the log,it says,"SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
I think it is HTTPS that make it failed. I see the curl below.
curl -i 'https://identity.example.com/v2.0/tokens' -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "xxxx", "passwordCredentials": {"username": "xxxx", "password": "xxxxx"}}}'
HTTP/1.0 200 Connection Established
Proxy-agent: Apache
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
How can I make the curl succeed without using -k or --insecure?
OR IF ANYONE HAS THE EXPERIENCE TO DO WITH openstack THAT KEYSTONE IS USING HTTPS WHEN INSTALLING Cloudify?
Using Openstack services with insecure SSL certificates is not possible in Cloudify 3.1. However, in Cloudify 3.2 it's possible to pass the --insecure (or ca_cert) flags directly to be used by the Openstack clients.
You can read the documentation for this feature here:
http://getcloudify.org/guide/3.2/plugin-openstack.html#openstack-configuration
So, for example, to use Nova service with insecure certificate, your Openstack configuration could look something like this:
openstack_config:
...
custom_configuration:
nova_client:
insecure: true
Hope this helps.
The SSL certificate could be invalid for a number of reasons. I've even seen where people forgot to reload the web server after updating the certificate. But, it is telling you what the overall problem is - you need a valid SSL certificate that is installed correctly.
Using curl -k or curl --insecure is perfectly fine in a development environment. For production, you can use an SSL Checker to test the SSL certificate and find out why it is being reported as invalid.
Recently,I look the github of cloudify.
They are resolving my problem,the problem linkenter link description here
the work is on progressing.