0

I'm getting SSL certificate failures in my python 3.6 scripts that are running on OS X. It is my understanding that installing the certifi module is supposed to get rid of these failures, but it hasn't. This is the output of the failing script:

Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/urllib3/connectionpool.py", line 601, in urlopen
    chunked=chunked)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/urllib3/connectionpool.py", line 850, in _validate_conn
    conn.connect()
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/urllib3/connection.py", line 326, in connect
    ssl_context=context)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 329, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 814, in __init__
    self.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 1068, in do_handshake
    self._sslobj.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/requests/adapters.py", line 440, in send
    timeout=timeout
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/urllib3/connectionpool.py", line 639, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/urllib3/util/retry.py", line 388, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='34.203.232.192', port=2376): Max retries exceeded with url: /v1.35/containers/json?limit=-1&all=1&size=0&trunc_cmd=0 (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/csimmons/Documents/repos/onedoclily2/server/dlserver/configure/GetDynamoInstance.py", line 137, in <module>
    sys.exit(main())
  File "/Users/csimmons/Documents/repos/onedoclily2/server/dlserver/configure/GetDynamoInstance.py", line 95, in main
    containers = get_containers(client, container_name)
  File "/Users/csimmons/Documents/repos/onedoclily2/server/dlserver/configure/GetDynamoInstance.py", line 30, in get_containers
    all_containers = client.containers.list(all=True)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/docker/models/containers.py", line 895, in list
    since=since)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/docker/api/container.py", line 204, in containers
    res = self._result(self._get(u, params=params), True)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/docker/utils/decorators.py", line 46, in inner
    return f(self, *args, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/docker/api/client.py", line 194, in _get
    return self.get(url, **self._set_request_timeout(kwargs))
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/requests/sessions.py", line 521, in get
    return self.request('GET', url, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/requests/sessions.py", line 508, in request
    resp = self.send(prep, **send_kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/requests/sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/requests/adapters.py", line 506, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='34.203.232.192', port=2376): Max retries exceeded with url: /v1.35/containers/json?limit=-1&all=1&size=0&trunc_cmd=0 (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833)'),))

This, I believe, shows that certifi is installed:

$ /Library/Frameworks/Python.framework/Versions/3.6/bin/python3 -m pip install certifi
Requirement already satisfied: certifi in /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages
Christopher Simmons
  • 998
  • 11
  • 31
  • To be valid an HTTPS cert must be signed (usually indirectly) by a trusted CA (and not expired or revoked) AND be for a server name that matches the name in the URL. The CA certs in certifi address only the first of these. Is the server's cert actually for `34.203.232.192` ? – dave_thompson_085 Apr 11 '18 at 07:05
  • @dave_thompson_085 You were right; the problem was with that server's certificate. The problem went away after I created a new one. – Christopher Simmons Apr 13 '18 at 20:12

1 Answers1

0

Python can't connect because after version 3.6 it has no certificates installed by default, you need to install the certificates in OSX Macos-highsierra and Macos-Mojavewith the following command, I guess is the same process for 3.7:

/Applications/Python\ 3.6/Install\ Certificates.command

Check: https://www.python.org/downloads/release/python-360/

Julian Maya
  • 91
  • 3