macOS: SSL certificates may not be installed
IvanBoyko opened this issue · 4 comments
IvanBoyko commented
Brilliant tool, thanks for creating it.
There is a little problem specifically on macOS.
It fails with:
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1051)>
unless Python certificates are explicitly installed.
They were not on my machine.
It's a one off operation and I was fine to do it manually once.
However, if you'd like you can probably incorporate the check into your script for the error message above.
Then you can check if it's a macOS, then print additional instructions about installing certificates, for example either: pip install certifi
I'm sure it will save lots of people their time.
See some relevant links:
kadrach commented
Let me take a look, given this is a (very lightweight) python package it should be as easy as adding certifi to install_requires with an appropriate OSX marker.
…________________________________
From: Ivan Boyko <notifications@github.com>
Sent: Tuesday, February 19, 2019 11:19 pm
To: kadrach/pre-commit-gitlabci-lint
Cc: Subscribed
Subject: [kadrach/pre-commit-gitlabci-lint] macOS: urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (#1)
Brilliant tool, thanks for creating it.
There is a little problem specifically on macOS.
It fails with:
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1051)>
unless Python certificates are explicitly installed.
They were not on my machine.
It's a one off operation and I was fine to do it manually once.
However, if you'd like you can probably incorporate the check into your script for the error message above.
Then you can check if it's a macOS, then print additional instructions about installing certificates, for example either: pip install certifi
I'm sure it will save lots of people their time.
See some relevant links:
* https://stackoverflow.com/questions/40684543/how-to-make-python-use-ca-certificates-from-mac-os-truststore
* https://stackoverflow.com/questions/50236117/scraping-ssl-certificate-verify-failed-error-for-http-en-wikipedia-org
* https://pypi.org/project/certifi/
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#1>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AAMlYK9-WROgwFQydl8YNSnMv9XC2PMuks5vO-vIgaJpZM4bC17v>.
kadrach commented
I'm having issues reproducing this on the two OSX systems I have available. Are you using a custom GitLab domain, or the public https://gitlab.com endpoint?
Are you able to provide the output of both the following?
uname -a
openssl s_client -connect gitlab.com:443 # redact identifying details if necessary
kadrach commented
(To clarify, I can reproduce the error if I force the system default certificates to be ignored. But my systems seem to have up-to-date certificates for at least gitlab.com.)
IvanBoyko commented
I am using https://gitlab.com
To be honest I struggle to reproduce it myself.
I have 2 machines and python version is different there.
On first machine where I had this problem (and fixed by installing certificates for Python):
$ python --version
Python 3.7.1
$ uname -a
Darwin ***** 18.2.0 Darwin Kernel Version 18.2.0: Thu Dec 20 20:46:53 PST 2018; root:xnu-4903.241.1~1/RELEASE_X86_64 x86_64
$ openssl s_client -connect gitlab.com:443
CONNECTED(00000005)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = gitlab.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=gitlab.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGZjCCBU6gAwIBAgIQRmnANMV3ADz9xhrIA4byqDANBgkqhkiG9w0BAQsFADCB
.......
23XsXYfNjMT1dA==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=gitlab.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5250 bytes and written 326 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: AD9281286AB9D1B7CE790F225393104F23700117BD66B164B59277B058988B0A
Session-ID-ctx:
Master-Key: B5085772793E11D38C0EFFA32C0AD87317FE9A5BCDDF7FAE3BA1339927CEAC743EEE1D9ED75F5EF7A9D6737E3C3B2BAE
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 79 d8 5e 61 ec 94 65 79-43 79 ba 0f be 03 d7 c0 y.^a..eyCy......
0010 - 79 b3 70 96 57 2e ae 16-7e 29 aa ca 60 c6 ab a5 y.p.W...~)..`...
0020 - ee f5 29 cc 5a 30 fc 7d-9c 46 45 8b 42 6b 69 23 ..).Z0.}.FE.Bki#
0030 - 5e 02 e1 64 74 c0 82 51-47 0b 56 9b c7 a9 15 2a ^..dt..QG.V....*
0040 - e3 05 0b ea 95 ab 5f 65-ef bc b6 f2 d2 63 17 8d ......_e.....c..
0050 - 6b 33 9c c8 06 99 55 04-cc 8d c9 2e c5 fb 00 ef k3....U.........
0060 - e3 80 91 07 79 7e b4 96-57 9f 68 79 88 a7 43 2a ....y~..W.hy..C*
0070 - 3b ff 6b 23 c4 8c 9a 30-fe 75 a7 cc b3 98 5c b5 ;.k#...0.u....\.
0080 - 1b 24 69 2a 7c 16 f3 16-b8 d7 81 59 af af b3 f8 .$i*|......Y....
0090 - 41 f6 92 d3 46 0e f4 e7-e4 7c a0 5a 6e a7 23 6c A...F....|.Zn.#l
Start Time: 1550653890
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
GET /
HTTP/1.0 400 Bad Request
...
On the second Mac that I have I didn't install Python certificates explicitly (certainly not by pip).
But your code works there!
$ python --version
Python 3.7.2
$ uname -a
Darwin ****** 18.2.0 Darwin Kernel Version 18.2.0: Thu Dec 20 20:46:53 PST 2018; root:xnu-4903.241.1~1/RELEASE_X86_64 x86_64
$ openssl s_client -connect gitlab.com:443
CONNECTED(00000005)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = gitlab.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=gitlab.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGZjCCBU6gAwIBAgIQRmnANMV3ADz9xhrIA4byqDANBgkqhkiG9w0BAQsFADCB
...........
23XsXYfNjMT1dA==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=gitlab.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5250 bytes and written 326 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: E37CB219E98121D80CE89900CD70ED53C4B28FF5288B03012576243341422873
Session-ID-ctx:
Master-Key: 95C543716A3B76D412A6C45B46669F68EDF2434DE9758F570ECAE60DD9FA128E56A85384773CD2024B7A51BEE26FEC40
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 93 59 47 f3 6a a8 3b 86-c0 2b 8e 8b af 09 02 62 .YG.j.;..+.....b
0010 - 7b a8 19 e7 43 22 e5 0b-55 32 23 4a ce dd f7 65 {...C"..U2#J...e
0020 - a8 f1 a9 f7 50 11 e2 89-cb 52 d7 40 2a 4f c7 c9 ....P....R.@*O..
0030 - ac 42 3d 2a 41 b0 bf f3-00 6f a4 09 70 bc 4b e6 .B=*A....o..p.K.
0040 - 63 f5 13 d3 53 e6 8b e2-22 20 8e 0b a8 34 60 49 c...S..." ...4`I
0050 - a5 05 53 ee 8f ad dc 3f-ba e1 f7 18 5a bf 98 1b ..S....?....Z...
0060 - f3 7c a6 f7 e6 9f ec c1-7f 7c 05 e1 ec ff c8 56 .|.......|.....V
0070 - 6a 2c d2 38 56 30 e9 ae-ae b1 80 d8 95 e2 f3 48 j,.8V0.........H
0080 - 05 aa 5f a6 dc 3e 42 d6-fe 60 d5 5b 15 62 4f 15 .._..>B..`.[.bO.
0090 - 77 33 82 20 01 0f ba c5-9b c0 39 0c 30 f3 68 1e w3. ......9.0.h.
Start Time: 1550652911
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
GET /
HTTP/1.0 400 Bad Request
...