SSL Certificate failed to verify, unable to jjwreck

Question

SSL Certificate failed to verify, unable to jjwreck

mbassett opened this issue 8 years ago · 4 comments

Traceback (most recent call last):
File "/home/mbassett/.local/bin/jjwrecker", line 11, in
sys.exit(main())
File "/home/mbassett/.local/lib/python2.7/site-packages/jenkins_job_wrecker/cli.py", line 193, in main
for job in server.get_jobs():
File "/home/mbassett/.local/lib/python2.7/site-packages/jenkins/init.py", line 765, in get_jobs
return self.get_all_jobs(folder_depth=folder_depth)
File "/home/mbassett/.local/lib/python2.7/site-packages/jenkins/init.py", line 814, in get_all_jobs
jobs = [(0, "", self.get_info(query=JOBS_QUERY)['jobs'])]
File "/home/mbassett/.local/lib/python2.7/site-packages/jenkins/init.py", line 551, in get_info
Request(self._build_url(url))
File "/home/mbassett/.local/lib/python2.7/site-packages/jenkins/init.py", line 430, in jenkins_open
self.maybe_add_crumb(req)
File "/home/mbassett/.local/lib/python2.7/site-packages/jenkins/init.py", line 303, in maybe_add_crumb
self._build_url(CRUMB_URL)), add_crumb=False)
File "/home/mbassett/.local/lib/python2.7/site-packages/jenkins/init.py", line 461, in jenkins_open
raise JenkinsException('Error in request: %s' % (e.reason))
jenkins.JenkinsException: Error in request: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

I am not finding any way to tell jenkins to not ssl verify :(

The jenkins API python library seems to have this ability but not python-jenkins?
http://tims.io/disabling-ssl-verification-in-python-jenkins-api/

Answer 1 · 2017-03-28T21:14:15.000Z

Hi Mark, thanks for the report. This would be a good thing to document.

Unfortunately the instructions you linked are for the jenkinsapi module, not the python-jenkins module that jenkins-job-wrecker and jenkins-job-builder use. It's going to be a little tricky to disable SSL verification because I don't see a way to do that with python-jenkins.

What OS are you running jjwrecker on? Would you please run this through strace to determine the certificate store that your Python is using?

strace -e open -o /tmp/strace.txt jjwrecker -s https://jenkins.example.com

The output is large, so you can email it to me (ktdreyer@ktdreyer.com) if you want.

I'm looking for any open() calls that appear to try to open files like /etc/pki/tls/certs/ca-bundle.crt (RPM-based Linux) or /etc/ssl/certs/ca-certificates.crt (Deb-based Linux).

Once we find out what certificate store your Python is using, you can add Jenkins' certificate to that store. Display your PEM-formatted cert with this command:

openssl s_client -connect jenkins.example.com:443 < /dev/null 2>&1 | openssl x509

Copy the everything including -----BEGIN CERTIFICATE----- all the way down to -----END CERTIFICATE-----, and paste that into your certificate store.

Answer 2 · 2018-04-18T09:16:02.000Z

Has this worked for you @mbassett ? I'm getting the same error after importing the CA and running c_rehash

Answer 3 · 2018-04-19T15:44:31.000Z

The good news is that the python-jenkins project recently switched to using requests for HTTP, so users can easily point at a CA with the REQUESTS_CA_BUNDLE=/path/to/your-CA.crt environment variable.

This feature is not yet available in a tagged python-jenkins release, though.

Answer 4 · 2018-05-18T21:18:10.000Z

python-jenkins v1.0.0 is now available. Could you try upgrading and let me know how it goes when you set the REQUESTS_CA_BUNDLE=/path/to/your-CA.crt environment variable?