Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
No support for client certificate chains. urllib3 1.19.1
See original GitHub issueRan into an issue with client certificates where chain validation is failing.
Orginally reported: https://github.com/kennethreitz/requests/issues/3732
Traceback:
Traceback (most recent call last):
File "/apps/lemur/lib/python3.5/site-packages/requests/packages/urllib3/contrib/pyopenssl.py", line 417, in wrap_socket
cnx.do_handshake()
File "/apps/lemur/lib/python3.5/site-packages/OpenSSL/SSL.py", line 1424, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/apps/lemur/lib/python3.5/site-packages/OpenSSL/SSL.py", line 1172, in _raise_ssl_error
_raise_current_error()
File "/apps/lemur/lib/python3.5/site-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'SSL3_READ_BYTES', 'tlsv1 alert unknown ca')]
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/apps/lemur/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 594, in urlopen
chunked=chunked)
File "/apps/lemur/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 350, in _make_request
self._validate_conn(conn)
File "/apps/lemur/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 835, in _validate_conn
conn.connect()
File "/apps/lemur/lib/python3.5/site-packages/requests/packages/urllib3/connection.py", line 323, in connect
ssl_context=context)
File "/apps/lemur/lib/python3.5/site-packages/requests/packages/urllib3/util/ssl_.py", line 324, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/apps/lemur/lib/python3.5/site-packages/requests/packages/urllib3/contrib/pyopenssl.py", line 424, in wrap_socket
raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_READ_BYTES', 'tlsv1 alert unknown ca')],)",)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/apps/lemur/lib/python3.5/site-packages/requests/adapters.py", line 423, in send
timeout=timeout
File "/apps/lemur/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 624, in urlopen
raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_READ_BYTES', 'tlsv1 alert unknown ca')],)",)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/apps/lemur/lemur/common/schema.py", line 147, in decorated_function
resp = f(*args, **kwargs)
File "/apps/lemur/lemur/certificates/views.py", line 271, in post
return service.create(**data)
File "/apps/lemur/lemur/certificates/service.py", line 218, in create
cert_body, private_key, cert_chain = mint(**kwargs)
File "/apps/lemur/lemur/certificates/service.py", line 167, in mint
cert_body, cert_chain = issuer.create_certificate(csr, kwargs)
File "/apps/lemur/lemur-cloudca/lemur_cloudca/plugin.py", line 332, in create_certificate
response = self.post(endpoint, cloudca_options)
File "/apps/lemur/lemur-cloudca/lemur_cloudca/plugin.py", line 163, in post
response = self.session.post(self.url + endpoint, data=dumps(data), timeout=10, verify=self.ca_bundle)
File "/apps/lemur/lib/python3.5/site-packages/requests/sessions.py", line 535, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/apps/lemur/lib/python3.5/site-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/apps/lemur/lib/python3.5/site-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/apps/lemur/lib/python3.5/site-packages/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_READ_BYTES', 'tlsv1 alert unknown ca')],)",)
Traceback (most recent call last):
File "/apps/lemur/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 594, in urlopen
chunked=chunked)
File "/apps/lemur/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 350, in _make_request
self._validate_conn(conn)
File "/apps/lemur/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 835, in _validate_conn
conn.connect()
File "/apps/lemur/lib/python3.5/site-packages/requests/packages/urllib3/connection.py", line 323, in connect
ssl_context=context)
File "/apps/lemur/lib/python3.5/site-packages/requests/packages/urllib3/util/ssl_.py", line 324, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/apps/lemur/lib/python3.5/site-packages/requests/packages/urllib3/contrib/pyopenssl.py", line 424, in wrap_socket
raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_READ_BYTES', 'tlsv1 alert unknown ca')],)",)
Reproduce with:
import requests
class HostNameCheckingAdapter(HTTPAdapter):
def cert_verify(self, conn, url, verify, cert):
super(HostNameCheckingAdapter, self).cert_verify(conn, url, verify, cert)
conn.assert_hostname = False
s = requests.Session()
s.mount('https://', HostNameCheckingAdapter())
s.cert = ('client.crt', 'client.key')
s.get('https://example.com', verify='path-to-ca-bundle')
Per @Lukasa comment, modifying the following line resolves the issue: pyopenssl.py
self._ctx.use_certificate_file(certfile)
to
self._ctx.use_certificate_chain_file(certfile)
Issue Analytics
- State:
- Created 7 years ago
- Comments:18 (16 by maintainers)
Top Results From Across the Web
Changelog - urllib3 2.0.0a2 documentation
Removed support for Python with an ssl module compiled with LibreSSL, ... issue when clients attempted to auth via certificate + chain (Issue...
Read more >Community Updates — Requests 2.18.1 documentation
Improvements. Improved packages namespace identity support, for monkeypatching libraries. ... Client certificates no longer ignored when verify=False ...
Read more >Solve the dreadful certificate issues in Python requests module
I have very clearly explained everything in my deep dive post. Typically the certificate chain consists of 3 parties. A root certificate ......
Read more >Module ngx_stream_ssl_module - Nginx.org
This module is not built by default, it should be enabled with the ... Only OpenSSL 1.0.2 or higher supports separate certificate chains...
Read more >Requests Documentation - Read the Docs
By default, requests does not support this, but there is a separate package which ... You can also specify a local cert to...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Are there any plans for releasing this any time soon? As a work around to it, is it possible to make urllib3 used by requests not use pyOpenSSL even if it’s installed? Thanks
@Lukasa pull request in 😄.