how I can change the value of verify_ssl?
Closed this issue · 21 comments
mux-python/mux_python/configuration.py
Line 173 in c2df765
maybe you need to add this variable to the Configuration Constructor parameters so that it can be initialized when creating the API?
def __init__(self, host=None, ..., verify_ssl = True)
and then:
self.verify_ssl = verify_ssl
Hi @gts-work,
That can't be overridden right now, you'd have to run a forked copy of mux-python with the True changed.
Can you give me some understanding of what you looking to achieve by disabling TLS verification?
Thanks!
Hi @gts-work,
That can't be overridden right now, you'd have to run a forked copy of mux-python with the
Truechanged.Can you give me some understanding of what you looking to achieve by disabling TLS verification?
Thanks!
Hi @geneticgenesis,
When I make a request to download a file, I get the error:
"
MaxRetryError
HTTPSConnectionPool (host = 'api.mux.com', port = 443): Max retries exceeded with url: / video / v1 / uploads / BDRlguJ4wVySEgvPvWMnjPPb6yAhGd1MffXcLhVbUys (Caused by SSLError (hands , 'tls_process_server_certificate', 'certificate verify failed')],) ",),))
"
I added
: param ssl_ca_cert: str - the path to a file of concatenated CA certificates in PEM format.
But I still get the "MaxRetryError" error. We use letsencrypt SSL certificate
Hey @gts-work, thanks for the reply.
The best way to resolve this issue is to resolve the issues with the (likely outdated) root certificates on the underlying system.
Tying yourself to a specific chain will potentially cause issues in the future if we change our certificate chain.
Do you have any more details about the environment you're running in - OS, python version, etc.
Thanks.
Hey @gts-work, thanks for the reply.
The best way to resolve this issue is to resolve the issues with the (likely outdated) root certificates on the underlying system.
Tying yourself to a specific chain will potentially cause issues in the future if we change our certificate chain.
Do you have any more details about the environment you're running in - OS, python version, etc.
Thanks.
Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-117-generic x86_64)
Python 3.6.8 (default, Oct 7 2019, 12:59:55)
Thanks @gts-work,
We've tested here, please can you run apt install ca-certificates which will fetch up-to-date root certificates for your machine, this should resolve the issue.
Thank you.
@geneticgenesis
I want to ask if it is possible to upload multiple video files at once?
Hey @gts-work,
Not currently, each video needs to be uploaded individually - product questions like this are best sent to the Mux team at help@mux.com.
Were you able to get the Python environment issues resolved?
Thanks!
Hey @gts-work,
Were you able to get the Python environment issues resolved?
Thanks!
No, I checked the certificate, it is valid, but I still get a certificate error. I made a fork and tuned it to the project.
Thanks, were you able to update the truststore on the machine you're running on as I suggested?
Thanks, were you able to update the truststore on the machine you're running on as I suggested?
I checked the certificate, it is valid, but I still get a certificate error. I made a fork and tuned it to the project.
Which certificate did you check? The verification is against the Mux server side certificate, but you need valid root certificates on your local machine, which you don't appear to have.
Based on our testing, using apt install ca-certificates will provide updated certificates, resolving your issue. Did you try running this?
Which certificate did you check? The verification is against the Mux server side certificate, but you need valid root certificates on your local machine, which you don't appear to have.
Based on our testing, using
apt install ca-certificateswill provide updated certificates, resolving your issue. Did you try running this?
Yes, I did. On the server side, everything is fine. The certificate is physically on the server, but I still got an error.
I snatched the fork and adjusted it to my project. All right. I think the issue can be closed.
Thanks @gts-work.
I'm concerned there's an issue with your local python configuration as this wouldn't be happening otherwise.
You should never need to use a custom trust store or disable TLS verification to use mux-python on the configuration you've described. I do not recommend running with verify TLS disabled as there will be security implications, running in a fork will also make it harder for you to pull in updates to the library.
We've tested and verified this package works correctly on Ubuntu 18.04.3 LTS with Python 3.6.9, when using an up-to-date ca-certificates.
Please can you try removing the ssl_ca_cert configuration that you're using, and then try again with the updated CA certificates.
If this doesn't work, please can you post the output of the following command:
apt show ca-certificates
Thanks @gts-work.
I'm concerned there's an issue with your local python configuration as this wouldn't be happening otherwise.
You should never need to use a custom trust store or disable TLS verification to use mux-python on the configuration you've described. I do not recommend running with verify TLS disabled as there will be security implications, running in a fork will also make it harder for you to pull in updates to the library.
We've tested and verified this package works correctly on Ubuntu 18.04.3 LTS with Python 3.6.9, when using an up-to-date ca-certificates.
Please can you try removing the
ssl_ca_certconfiguration that you're using, and then try again with the updated CA certificates.If this doesn't work, please can you post the output of the following command:
apt show ca-certificates
Package: ca-certificates
Version: 20210119~18.04.1
Priority: important
Section: misc
Origin: Ubuntu
Maintainer: Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com
Original-Maintainer: Michael Shuler michael@pbandjelly.org
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 390 kB
Depends: openssl (>= 1.1.0), debconf (>= 0.5) | debconf-2.0
Breaks: ca-certificates-java (<< 20121112+nmu1)
Enhances: openssl
Task: minimal
Supported: 5y
Download-Size: 147 kB
APT-Manual-Installed: yes
APT-Sources: http://mirrors.digitalocean.com/ubuntu bionic-updates/main amd64 Packages
Description: Common CA certificates
Contains the certificate authorities shipped with Mozilla's browser to allow
SSL-based applications to check for the authenticity of SSL connections.
.
Please note that Debian can neither confirm nor deny whether the
certificate authorities whose certificates are included in this package
have in any way been audited for trustworthiness or RFC 3647 compliance.
Full responsibility to assess them belongs to the local system
administrator.
N: There is 1 additional record. Please use the '-a' switch to see it
Hey @gts-work,
Thanks, we've tested again and confirmed this package works correctly on Ubuntu 18.04.3 LTS with Python 3.6.9, when using an up-to-date ca-certificates. We've also tested a couple of containerised versions, which work correctly.
Can you try running the following command for me:
openssl s_client -connect api.mux.com:443 -verify_return_error -status </dev/null 2>&1
Thanks.
Hi @geneticgenesis, I am getting the exact same error and here is the result of running that command you shared.
`root@localhost:~/kivilcimyolla# openssl s_client -connect api.mux.com:443 -verify_return_error -status </dev/null 2>&1
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = api.mux.com
verify return:1
OCSP response: no response sent
Certificate chain
0 s:CN = api.mux.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
Server certificate
-----BEGIN CERTIFICATE-----
MIIGHDCCBQSgAwIBAgISBCv6DqmDg/YAGXt/4LnffFUfMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA1MjMyMjUyMjFaFw0yMTA4MjEyMjUyMjFaMBYxFDASBgNVBAMT
C2FwaS5tdXguY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApQzV
TQ1c7BIfuJoc21rNkBpx5IhZQxFEV6DFMI+j5KwhDoYEAN621Qr7MSVcgeKymh7M
VgB3h2PqPjhNkenDiNfEv0ctidxF5wqdZewpCCkTXPZD+debEgPwsSbTPgLy4AGf
O1W2Dxvj4ME9277SCeHNeVUpCDPw+SJrNC5Op+UrjUJaPbbxngIGglu9ItSpjoB1
q7vEcxghEpf8q+sdrJcS10duMSpZCjTqZzncxjrEg5Zz+bMyFkn6/m+gqAImdj/u
WDfoycvWAl0QGzx9CroD6JBlrBxK3sdTu0r9TslLfG74mYgP0Zerl20MAuMa5cK9
IWxKIThcfg9M0BZ7cIPuX6jLduXLMfr5Zae4guGxEmhvNZWtK5r9xv8toK7j7NYp
r2b664amDA++IgzbVRM6/H4c4hEul7xXS2TpAybpudT3RDrpak4h718b/k7Sk1Pl
qOdDMfpaptA1sXpadPGJL1U4DZ9jTAoLQxH9n+BZbTb3MfC3Fj2Xl5Uau2NJ1I7Y
vs5XQP6FbBFQUIDAzeXccMFJesiMkpoO/iZxeRqmdDGHFE4Vjnn4LGdmirAUy3OE
sOYbi/7gjDoCDG5gtkJjMZzQujBXH5sNBroJJkspz+dePqBxhHAylesn1VwS/fre
uI4jUbkr3dbC03j5+96QpopYoEdTHv4LHKXQMyUCAwEAAaOCAkYwggJCMA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQUi/ex0rMAKIRb8NGsecDa8RjQqykwHwYDVR0jBBgw
FoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUF
BzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9y
My5pLmxlbmNyLm9yZy8wFgYDVR0RBA8wDYILYXBpLm11eC5jb20wTAYDVR0gBEUw
QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgD2
XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvMTvFk4wAAAXmbpNSOAAAEAwBHMEUC
IQDklA/vYuUFtZxiRl1Adb8hniPuc5oC34amqjN30wVmcAIgUjJ3a6f4MKMl5ObW
ol5ZHrdP8SJYaLwamL9sgeqXoyoAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkG
jbIImjfZEwAAAXmbpNTIAAAEAwBHMEUCIQDyT5PKml9rXAL11iP64ZTNx/kynrWs
Ak6RE0fTn9ty/QIgUmNbPa67R/vKSo0FkbwP9hLy1BjjXKlzl3YAbb0KxJQwDQYJ
KoZIhvcNAQELBQADggEBAGPMzTS87baFogtEC3zH6vOUUF7yZTFxFUEu5Xf+KYNH
hjtB1SHYRo61pBOJ3NkrxxDm0wdCMtp3/ZKjeQGJQkjush2tswgbH2i2Mdl5+fTc
iUMh3Qcr7DjXIuNfra+IisuM4BANzN3YYksbDkdUfsJ6eKkL+JxsqA1sTHWqYLyR
BT+YSbgJ4NsPZ5tB6wQr7UWnQO1yTYjxyHScjKhc5scF2u7C6TIKROTJ8gfBnP32
NTXK5tTdY3VgfP9yheVDaAoFZwuIMncQBPAQEXzEaRZ++K2+7qMXMcB33lHBscMx
s5KTqH/yVxocStbSYFWh5Yjr2M6c4L0zBOiXOIWJNgg=
-----END CERTIFICATE-----
subject=CN = api.mux.com
issuer=C = US, O = Let's Encrypt, CN = R3
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
SSL handshake has read 5095 bytes and written 405 bytes
Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 770C354D450405D7542F0FA558B998B77C4BD298A5B9F9D89A0774625076EDD4
Session-ID-ctx:
Master-Key: B3E93F26FB5312C9CAAE29A31110654FF01822178BADE7B4C1DA25AA82582E53AA56C6BC14B8D303D3D63A22DD4B4392
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - b8 8b 3e 57 9f a9 3a 2b-19 e5 6d 7e a7 66 e0 44 ..>W..:+..m~.f.D
0010 - e2 4d 8a 41 38 d0 31 7f-7a 85 53 cb 09 48 01 30 .M.A8.1.z.S..H.0
0020 - 57 b5 7c dc 1a 41 52 16-c5 0d 75 89 be 98 a4 8a W.|..AR...u.....
0030 - 36 69 a6 2a 60 a8 e0 c3-65 b0 4b 1f 4b a7 73 96 6i.`...e.K.K.s.
0040 - 70 02 85 c3 7a 65 15 c1-4b 6f 47 e4 ba 00 c5 43 p...ze..KoG....C
0050 - 3a fe a5 be 5b 3c e6 19-4a 7e a2 cf 0e 5f 27 bb :...[<..J~..._'.
0060 - 20 f9 a2 08 29 ae 81 f9-82 2a 0f 31 47 cb bc 48 ...).....1G..H
0070 - 96 9a 59 9c 30 b5 1e 77- ..Y.0..w
Start Time: 1624553147
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
DONE
root@localhost:~/kivilcimyolla#
`
Hey @gts-work,
Thanks, we've tested again and confirmed this package works correctly on Ubuntu 18.04.3 LTS with Python 3.6.9, when using an up-to-date ca-certificates. We've also tested a couple of containerised versions, which work correctly.
Can you try running the following command for me:
openssl s_client -connect api.mux.com:443 -verify_return_error -status </dev/null 2>&1Thanks.
@geneticgenesis
That's what I got:
root@localhost:~# openssl s_client -connect api.mux.com:443 -verify_return_error -status </dev/null 2>&1
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = api.mux.com
verify return:1
OCSP response: no response sent
Certificate chain
0 s:CN = api.mux.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
Server certificate
-----BEGIN CERTIFICATE-----
MIIGHDCCBQSgAwIBAgISBCv6DqmDg/YAGXt/4LnffFUfMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA1MjMyMjUyMjFaFw0yMTA4MjEyMjUyMjFaMBYxFDASBgNVBAMT
C2FwaS5tdXguY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApQzV
TQ1c7BIfuJoc21rNkBpx5IhZQxFEV6DFMI+j5KwhDoYEAN621Qr7MSVcgeKymh7M
VgB3h2PqPjhNkenDiNfEv0ctidxF5wqdZewpCCkTXPZD+debEgPwsSbTPgLy4AGf
O1W2Dxvj4ME9277SCeHNeVUpCDPw+SJrNC5Op+UrjUJaPbbxngIGglu9ItSpjoB1
q7vEcxghEpf8q+sdrJcS10duMSpZCjTqZzncxjrEg5Zz+bMyFkn6/m+gqAImdj/u
WDfoycvWAl0QGzx9CroD6JBlrBxK3sdTu0r9TslLfG74mYgP0Zerl20MAuMa5cK9
IWxKIThcfg9M0BZ7cIPuX6jLduXLMfr5Zae4guGxEmhvNZWtK5r9xv8toK7j7NYp
r2b664amDA++IgzbVRM6/H4c4hEul7xXS2TpAybpudT3RDrpak4h718b/k7Sk1Pl
qOdDMfpaptA1sXpadPGJL1U4DZ9jTAoLQxH9n+BZbTb3MfC3Fj2Xl5Uau2NJ1I7Y
vs5XQP6FbBFQUIDAzeXccMFJesiMkpoO/iZxeRqmdDGHFE4Vjnn4LGdmirAUy3OE
sOYbi/7gjDoCDG5gtkJjMZzQujBXH5sNBroJJkspz+dePqBxhHAylesn1VwS/fre
uI4jUbkr3dbC03j5+96QpopYoEdTHv4LHKXQMyUCAwEAAaOCAkYwggJCMA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQUi/ex0rMAKIRb8NGsecDa8RjQqykwHwYDVR0jBBgw
FoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUF
BzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9y
My5pLmxlbmNyLm9yZy8wFgYDVR0RBA8wDYILYXBpLm11eC5jb20wTAYDVR0gBEUw
QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgD2
XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvMTvFk4wAAAXmbpNSOAAAEAwBHMEUC
IQDklA/vYuUFtZxiRl1Adb8hniPuc5oC34amqjN30wVmcAIgUjJ3a6f4MKMl5ObW
ol5ZHrdP8SJYaLwamL9sgeqXoyoAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkG
jbIImjfZEwAAAXmbpNTIAAAEAwBHMEUCIQDyT5PKml9rXAL11iP64ZTNx/kynrWs
Ak6RE0fTn9ty/QIgUmNbPa67R/vKSo0FkbwP9hLy1BjjXKlzl3YAbb0KxJQwDQYJ
KoZIhvcNAQELBQADggEBAGPMzTS87baFogtEC3zH6vOUUF7yZTFxFUEu5Xf+KYNH
hjtB1SHYRo61pBOJ3NkrxxDm0wdCMtp3/ZKjeQGJQkjush2tswgbH2i2Mdl5+fTc
iUMh3Qcr7DjXIuNfra+IisuM4BANzN3YYksbDkdUfsJ6eKkL+JxsqA1sTHWqYLyR
BT+YSbgJ4NsPZ5tB6wQr7UWnQO1yTYjxyHScjKhc5scF2u7C6TIKROTJ8gfBnP32
NTXK5tTdY3VgfP9yheVDaAoFZwuIMncQBPAQEXzEaRZ++K2+7qMXMcB33lHBscMx
s5KTqH/yVxocStbSYFWh5Yjr2M6c4L0zBOiXOIWJNgg=
-----END CERTIFICATE-----
subject=CN = api.mux.com
issuer=C = US, O = Let's Encrypt, CN = R3
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
SSL handshake has read 5095 bytes and written 415 bytes
Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 5091B28EA0BB317FC5EA95ADCAF57245ADA10EA89180FC27751D3278AEDD013A
Session-ID-ctx:
Master-Key: 876845FC3E2D048B120D4351BAB0016CEC0D761820FFE63A3DAB1F4AFA7B31291FD459D0BF293843947D86DA61F099BE
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 0f d6 8a 9e 79 35 da b5-92 ba 2e e0 c4 b4 10 ef ....y5..........
0010 - d3 45 37 a4 22 b1 30 6e-9b 75 0b e5 dc 7f 84 af .E7.".0n.u......
0020 - dd c5 9b bc d0 55 0a 08-a6 a7 c5 c9 f4 49 f3 2d .....U.......I.-
0030 - 16 0d 52 92 24 88 e5 1d-15 c0 a2 2c 72 19 4c 41 ..R.$......,r.LA
0040 - 5a e0 3b 8d 03 61 31 e2-6a c4 ab 39 38 a2 e9 91 Z.;..a1.j..98...
0050 - dc 51 f6 55 85 5a e2 51-15 6e a4 25 ca e9 20 62 .Q.U.Z.Q.n.%.. b
0060 - 82 5e b1 06 d7 de 7d 20-c2 d9 5d 6c 19 8a 4f e9 .^....} ..]l..O.
0070 - 7f 96 fb 42 f2 5e 96 9b- ...B.^..
Start Time: 1624558267
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
DONE
Inactive - closing
I think we need to re-open this - the action item should be for us to pin a more updated version of certi in our dependencies.
It's hard to know what version that should be without input from the users who were having issues, but I think with a little research, we could come to an educated decision - it shouldn't be too hard to work out from what version of certi the new style let's encrypt certificates started working.
Just as an FYI: I ended up hitting this on python:3.10.2-buster from dockerhub. After sufficient attempts to fix this I tried updating the container base to python:3.10.5-buster, which didn't have the issue.