SSLError while connecting

Question

SSLError while connecting

Closed this issue 8 months ago · 5 comments

I am getting SSL: CERTIFICATE_VERIFY_FAILED, even though I am passing parameter

"ssl_verify": False

Code

`if name=="main":
nr = InitNornir(
inventory={
"plugin": "NautobotInventory",
"options": {
"nautobot_url": "https://10.81.161.100/",
"nautobot_token": "c6798e131be53ae38fd892fb6689144ca6d89c67",
"ssl_verify": False,
},
},
runner={
"plugin": "threaded",
"options": {'num_workers': 5}
},
logging={
"enabled": False
},
)

results=nr.run(task=helper_update)`

Output Error

`(.venv) tkdebnath@ubuntu:~/EIP$ python ip_helper.py
Traceback (most recent call last):
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 715, in urlopen
httplib_response = self._make_request(
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 404, in _make_request
self._validate_conn(conn)
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1058, in validate_conn
conn.connect()
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/urllib3/connection.py", line 419, in connect
self.sock = ssl_wrap_socket(
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/urllib3/util/ssl.py", line 453, in ssl_wrap_socket
ssl_sock = ssl_wrap_socket_impl(sock, context, tls_in_tls)
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/urllib3/util/ssl.py", line 495, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock)
File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.10/ssl.py", line 1071, in _create
self.do_handshake()
File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1007)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/requests/adapters.py", line 486, in send
resp = conn.urlopen(
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 799, in urlopen
retries = retries.increment(
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='10.81.161.100', port=443): Max retries exceeded with url: /api/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1007)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/tkdebnath/EIP/ip_helper.py", line 51, in
nr = InitNornir(
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/nornir/init_nornir.py", line 72, in InitNornir
inventory=load_inventory(config),
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/nornir/init_nornir.py", line 20, in load_inventory
inv = inventory_plugin(**config.inventory.options).load()
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/nornir_nautobot/plugins/inventory/nautobot.py", line 148, in load
for device in self.devices:
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/nornir_nautobot/plugins/inventory/nautobot.py", line 127, in devices
self._devices = self.pynautobot_obj.dcim.devices.all()
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/nornir_nautobot/plugins/inventory/nautobot.py", line 110, in pynautobot_obj
self._pynautobot_obj = pynautobot.api(
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/pynautobot/core/api.py", line 116, in init
self._validate_version()
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/pynautobot/core/api.py", line 120, in _validate_version
api_version = self.version
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/pynautobot/core/api.py", line 145, in version
).get_version()
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/pynautobot/core/query.py", line 198, in get_version
req = self.http_session.get(
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/requests/sessions.py", line 602, in get
return self.request("GET", url, **kwargs)
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/requests/sessions.py", line 589, in request
resp = self.send(prep, **send_kwargs)
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/requests/sessions.py", line 703, in send
r = adapter.send(request, **kwargs)
File "/home/tkdebnath/EIP/.venv/lib/python3.10/site-packages/requests/adapters.py", line 517, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='10.81.161.100', port=443): Max retries exceeded with url: /api/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1007)')))
(.venv) tkdebnath@ubuntu:~/EIP$`

Modules installed

(.venv) tkdebnath@ubuntu:~/EIP$ pip freeze anyio==4.1.0 bcrypt==4.1.1 certifi==2023.11.17 cffi==1.16.0 charset-normalizer==3.3.2 colorama==0.4.6 cryptography==41.0.7 exceptiongroup==1.2.0 future==0.18.3 h11==0.14.0 httpcore==0.17.3 httpx==0.24.1 idna==3.6 Jinja2==3.1.2 junos-eznc==2.6.8 lxml==4.9.3 MarkupSafe==2.1.3 mypy-extensions==1.0.0 napalm==4.1.0 ncclient==0.6.13 netaddr==0.9.0 netmiko==4.3.0 netutils==1.6.0 nornir==3.4.1 nornir-jinja2==0.2.0 nornir-napalm==0.4.0 nornir-nautobot==3.0.0 nornir-netmiko==1.0.1 nornir-utils==0.2.0 ntc_templates==4.0.1 packaging==23.2 paramiko==3.3.1 pycparser==2.21 pyeapi==1.0.2 PyNaCl==1.5.0 pynautobot==2.0.2 pyparsing==3.1.1 pyserial==3.5 PyYAML==6.0.1 requests==2.31.0 ruamel.yaml==0.18.5 ruamel.yaml.clib==0.2.8 scp==0.14.5 six==1.16.0 sniffio==1.3.0 textfsm==1.1.3 transitions==0.9.0 ttp==0.9.5 ttp-templates==0.3.5 typing_extensions==4.9.0 urllib3==1.26.18 yamlordereddictloader==0.4.2

Answer 1 · 2024-01-13T00:23:44.000Z

I have the same isssue

Answer 2 · 2024-02-05T10:35:36.000Z

I have the same issue. Also, I don't understand why the verification fails, it shouldn't. The certificate for the signing CA and the nautobot server are installed in the VM running the code. I tried also with ssl_verify = True and it still failed.
I have to say that urllib3 is up to v2.x Ι believe while this combination of packages only goes up to 1.26.18 (in case this poses an issue). Also I am using this combination of packages in my latest tests (nornir-nautobot==3.1.0) and python 3.12 although I started seeing the problem with python 3.9.18:

asttokens==2.4.1
bcrypt==4.1.2
certifi==2024.2.2
cffi==1.16.0
charset-normalizer==3.3.2
colorama==0.4.6
cryptography==42.0.2
decorator==5.1.1
executing==2.0.1
fastjsonschema==2.19.1
future==0.18.3
h11==0.14.0
httpcore==0.17.3
httpx==0.24.1
idna==3.6
ipdb==0.13.13
ipython==8.21.0
jedi==0.19.1
Jinja2==3.1.3
junos-eznc==2.7.0
lxml==5.1.0
markdown-it-py==3.0.0
MarkupSafe==2.1.5
matplotlib-inline==0.1.6
mdurl==0.1.2
mypy-extensions==1.0.0
napalm==4.1.0
ncclient==0.6.15
netaddr==0.10.1
netmiko==4.3.0
netutils==1.6.0
nornir==3.4.1
nornir-jinja2==0.2.0
nornir-napalm==0.4.0
nornir-nautobot==3.1.0
nornir-netmiko==1.0.1
nornir-utils==0.2.0
ntc_templates==4.2.0
packaging==23.2
paramiko==3.4.0
parso==0.8.3
pexpect==4.9.0
prompt-toolkit==3.0.43
ptyprocess==0.7.0
pure-eval==0.2.2
pycparser==2.21
pyeapi==1.0.2
Pygments==2.17.2
pymsteams==0.2.2
PyNaCl==1.5.0
pynautobot==2.0.2
pyparsing==3.1.1
pyserial==3.5
PyYAML==6.0.1
requests==2.31.0
requests-toolbelt==1.0.0
rich==13.7.0
ruamel.yaml==0.18.5
ruamel.yaml.clib==0.2.8
scp==0.14.5
setuptools==69.0.3
six==1.16.0
sniffio==1.3.0
stack-data==0.6.3
textfsm==1.1.3
traitlets==5.14.1
transitions==0.9.0
ttp==0.9.5
ttp-templates==0.3.6
typing_extensions==4.9.0
urllib3==1.26.18
wcwidth==0.2.13
yamlordereddictloader==0.4.2

Answer 3 · 2024-02-05T14:22:30.000Z

This looks to be related to a check that was added into pynautobot to check on the version of Nautobot upon initialization. The behavior previously expected to set the SSL Verify status after initialization. So we just need to move the SSL Verify portion into the initialization of the method.

Answer 4 · 2024-02-07T09:37:49.000Z

Thanks Josh ! Goncalo Rodrigues CCIE# 66721

…

________________________________ From: Josh VanDeraa ***@***.***> Sent: Tuesday, February 6, 2024 5:09:39 PM To: nautobot/nornir-nautobot ***@***.***> Cc: Goncalo Rodrigues ***@***.***>; Comment ***@***.***> Subject: Re: [nautobot/nornir-nautobot] SSLError while connecting (Issue #134) Closed #134<#134> as completed via #137<#137>. — Reply to this email directly, view it on GitHub<#134 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A242NSWIDACN5IFGHZMFHJTYSJPVHAVCNFSM6AAAAABASQFZDWVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJRG4ZDCNJTG4YTGMA>. You are receiving this because you commented.Message ID: ***@***.***> Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast, a leader in email security and cyber resilience. Mimecast integrates email defenses with brand protection, security awareness training, web security, compliance and other essential capabilities. Mimecast helps protect large and small organizations from malicious activity, human error and technology failure; and to lead the movement toward building a more resilient world. To find out more, visit our website.

Answer 5 · 2024-02-07T21:39:44.000Z

thank you! Much appreciated!