Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

API & Integration, DevOps,NetOps,SecOps

Reply

SSLError: certificate verify failed

[ Edited ]
Adviser
Posts: 51
3834     0

I'm currently testing a portion of code from FHecker.  My Grid Master uses SSL auth and I don't know where/how to supply the cert/cert chain to access my Grid via Python.  I'm assuming the following error is related to this same issue...it can't find the certificate: "ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed"

 

I'm testing on a Linux workstation.  What's the best way to resolve this?

 

Code:

# Import the required Python modules.
import requests
import json
import getpass
import sys

# Set parameters to access the NIOS WAPI.
url = 'https://infoblox.foo.com/wapi/v2.9.5/'
id = 'apiuser'  # Userid with WAPI access
#valid_cert = True  # False if GM uses self-signed certificate
valid_cert = '/path/to/cert/infoblox.cer'

# Prompt for the API user password.
pw = getpass.getpass('Password for user ' + id + ': ')

# Retrieve all network views.
r = requests.get(url + 'networkview',
                 auth=(id, pw),
                 verify=valid_cert)
if r.status_code != requests.codes.ok:
    print (r.text)
    exit_msg = 'Error {} finding network views: {}'
    sys.exit(exit_msg.format(r.status_code, r.reason))
results = r.json()

# Save the authentication cookie for use in subsequent requests.
ibapauth_cookie = r.cookies['ibapauth']
print ('Authentication cookie: ', ibapauth_cookie)

# Print the names of the network views.
print ('Network views')
for result in results:
    print (result['name'])

Errors:

Traceback (most recent call last):
  File "/path/to/python/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 672, in urlopen
    chunked=chunked,
  File "/path/to/python/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 376, in _make_request
    self._validate_conn(conn)
  File "/path/to/python/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
    conn.connect()
  File "/path/to/python/lib64/python3.6/site-packages/urllib3/connection.py", line 360, in connect
    ssl_context=context,
  File "/path/to/python/lib64/python3.6/site-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 817, in __init__
    self.do_handshake()
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 1077, in do_handshake
    self._sslobj.do_handshake()
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/path/to/python/lib64/python3.6/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/path/to/python/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 720, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/path/to/python/lib64/python3.6/site-packages/urllib3/util/retry.py", line 436, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='infoblox.foo.com', port=443): Max retries exceeded with url: /wapi/v2.9.5/networkview (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "getviews.py", line 22, in <module>
    verify=valid_cert)
  File "/path/to/python/lib64/python3.6/site-packages/requests/api.py", line 76, in get
    return request('get', url, params=params, **kwargs)
  File "/path/to/python/lib64/python3.6/site-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/path/to/python/lib64/python3.6/site-packages/requests/sessions.py", line 530, in request
    resp = self.send(prep, **send_kwargs)
  File "/path/to/python/lib64/python3.6/site-packages/requests/sessions.py", line 643, in send
    r = adapter.send(request, **kwargs)
  File "/path/to/python/lib64/python3.6/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='infoblox.foo.com', port=443): Max retries exceeded with url: /wapi/v2.9.5/networkview (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)) 

 

Re: SSLError: certificate verify failed

Authority
Posts: 14
3835     0

Sorry for breaking in this 3 year old thread but no one seems to have an answer anyway.
I am having the same issue and our Grid Master does have a valid HTTPS certificate.

In the webgui we don't get any warnings and the certificate is valid.

However when we do an api call from python we get the same error:

requests.exceptions.SSLError: HTTPSConnectionPool(host='REMOVED FOR SECURITY REASONS', port=443): Max retries exceeded with url: /wapi/v2.7/zone_rp (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certifica
te verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')))

When we disable the warning by using this code in the beginning:

requests.packages.urllib3.disable_warnings()

 

The script runs fine, but we don't want to disable SSL verification warnings.

According to the WAPI Admin guide it says the following:

 

WAPI uses HTTPS (HTTP over SSL/TLS) as the transport mechanism. The server certificate used for WAPI is the same certificate used by NIOS for the GUI and PAPI

How come the python api call does see a self signed certificate in the chain ?

Showing results for 
Search instead for 
Did you mean: 

Recommended for You