Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

API & Integration, DevOps,NetOps,SecOps

Reply

SSLError: certificate verify failed

[ Edited ]
Adviser
Posts: 51
1031     0

I'm currently testing a portion of code from FHecker.  My Grid Master uses SSL auth and I don't know where/how to supply the cert/cert chain to access my Grid via Python.  I'm assuming the following error is related to this same issue...it can't find the certificate: "ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed"

 

I'm testing on a Linux workstation.  What's the best way to resolve this?

 

Code:

# Import the required Python modules.
import requests
import json
import getpass
import sys

# Set parameters to access the NIOS WAPI.
url = 'https://infoblox.foo.com/wapi/v2.9.5/'
id = 'apiuser'  # Userid with WAPI access
#valid_cert = True  # False if GM uses self-signed certificate
valid_cert = '/path/to/cert/infoblox.cer'

# Prompt for the API user password.
pw = getpass.getpass('Password for user ' + id + ': ')

# Retrieve all network views.
r = requests.get(url + 'networkview',
                 auth=(id, pw),
                 verify=valid_cert)
if r.status_code != requests.codes.ok:
    print (r.text)
    exit_msg = 'Error {} finding network views: {}'
    sys.exit(exit_msg.format(r.status_code, r.reason))
results = r.json()

# Save the authentication cookie for use in subsequent requests.
ibapauth_cookie = r.cookies['ibapauth']
print ('Authentication cookie: ', ibapauth_cookie)

# Print the names of the network views.
print ('Network views')
for result in results:
    print (result['name'])

Errors:

Traceback (most recent call last):
  File "/path/to/python/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 672, in urlopen
    chunked=chunked,
  File "/path/to/python/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 376, in _make_request
    self._validate_conn(conn)
  File "/path/to/python/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
    conn.connect()
  File "/path/to/python/lib64/python3.6/site-packages/urllib3/connection.py", line 360, in connect
    ssl_context=context,
  File "/path/to/python/lib64/python3.6/site-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 817, in __init__
    self.do_handshake()
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 1077, in do_handshake
    self._sslobj.do_handshake()
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/path/to/python/lib64/python3.6/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/path/to/python/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 720, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/path/to/python/lib64/python3.6/site-packages/urllib3/util/retry.py", line 436, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='infoblox.foo.com', port=443): Max retries exceeded with url: /wapi/v2.9.5/networkview (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "getviews.py", line 22, in <module>
    verify=valid_cert)
  File "/path/to/python/lib64/python3.6/site-packages/requests/api.py", line 76, in get
    return request('get', url, params=params, **kwargs)
  File "/path/to/python/lib64/python3.6/site-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/path/to/python/lib64/python3.6/site-packages/requests/sessions.py", line 530, in request
    resp = self.send(prep, **send_kwargs)
  File "/path/to/python/lib64/python3.6/site-packages/requests/sessions.py", line 643, in send
    r = adapter.send(request, **kwargs)
  File "/path/to/python/lib64/python3.6/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='infoblox.foo.com', port=443): Max retries exceeded with url: /wapi/v2.9.5/networkview (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)) 

 

Re: SSLError: certificate verify failed

Authority
Posts: 14
1031     0

Sorry for breaking in this 3 year old thread but no one seems to have an answer anyway.
I am having the same issue and our Grid Master does have a valid HTTPS certificate.

In the webgui we don't get any warnings and the certificate is valid.

However when we do an api call from python we get the same error:

requests.exceptions.SSLError: HTTPSConnectionPool(host='REMOVED FOR SECURITY REASONS', port=443): Max retries exceeded with url: /wapi/v2.7/zone_rp (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certifica
te verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')))

When we disable the warning by using this code in the beginning:

requests.packages.urllib3.disable_warnings()

 

The script runs fine, but we don't want to disable SSL verification warnings.

According to the WAPI Admin guide it says the following:

 

WAPI uses HTTPS (HTTP over SSL/TLS) as the transport mechanism. The server certificate used for WAPI is the same certificate used by NIOS for the GUI and PAPI

How come the python api call does see a self signed certificate in the chain ?

Showing results for 
Search instead for 
Did you mean: 

Recommended for You