This is a test in my CI pipeline that began failing in the last 3 months.
I've checked and double checked that the certificate is good. Here is the result of openssl x509 -text -noout -in the-cert.crt:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
<redacted>
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = 172.17.0.2
Validity
Not Before: Jul 19 16:51:57 2023 GMT
Not After : Jul 18 16:51:57 2024 GMT
Subject: CN = 172.17.0.2
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
<redacted>
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
<redacted>
X509v3 Authority Key Identifier:
<redacted>
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
<redacted>
I need the following to pass:
res2 = requests.get('http://172.17.0.2/index.html', timeout=15, verify="/home/mrx/appx/the-cert.crt")
Instead I get the error:
requests.exceptions.SSLError: HTTPSConnectionPool(host='172.17.0.2', port=443): Max retries exceeded with url: /index.html (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '172.17.0.2'. (_ssl.c:997)")))
Port 443 was bugging me. It doesn't change if I specify "https" but obviously I had port 80 being forwarded to 443 in my server configuration.
This works from the shell:
curl https://172.17.0.2/index.html --cacert the-cert.crt
The plain http version returns a 301 redirect. If I comment out the listen 443 in the server block, everything (including the request) works, but distorts the original test.
Any ideas for a neat (other than try-catch-branch) fix?
requests 2.31.0, python 3.10.6, (ubuntu 22.04)
I tried running nginx on Debian from 2022, bullseye-slim, right up to current bookworm. Bookworm provided nginx 1.22.1.
