Created on 2016-09-15 15:47 by Matt Wright, last changed 2016-09-15 16:02 by Matt Wright. This issue is now closed.
| Messages (3) | |||
|---|---|---|---|
| msg276567 - (view) | Author: Matt Wright (Matt Wright) | Date: 2016-09-15 15:47 | |
I'm experiencing a strange error when connecting to a web server with a self signed certificate. I've added the Root and Intermediate certs to the system CA bundle, and can `curl` against the server without any errors or using the `k` flag. But Python (via requests) raises an error that I can't seem to figure out at all with the `peer_certificate` method. Below you'll find the specific error:
```
import requests
requests.get('https://localhost:9200/_cluster/health', verify='/etc/ssl/certs/ca-certificates.crt')
Traceback (most recent call last):
File "test.py", line 2, in <module>
requests.get('https://localhost:9200/_cluster/health', verify='/etc/ssl/certs/ca-certificates.crt')
File "/usr/lib/python3/dist-packages/requests/api.py", line 67, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 53, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 468, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 376, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 560, in urlopen
body=body, headers=headers)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 787, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 259, in connect
cert = self.sock.getpeercert()
File "/usr/lib/python3.5/ssl.py", line 818, in getpeercert
return self._sslobj.getpeercert(binary_form)
File "/usr/lib/python3.5/ssl.py", line 595, in getpeercert
return self._sslobj.peer_certificate(binary_form)
SystemError: <built-in method peer_certificate of _ssl._SSLSocket object at 0x7f98ac154858> returned NULL without setting an error
```
|
|||
| msg276570 - (view) | Author: Christian Heimes (christian.heimes) *  |
Date: 2016-09-15 15:54 | |
Do you happen to talk to an ElasticSearch cluster with a GEN_RID in the subject alternative name field? It's a known bug in Python's ssl code. The fix #27691 will be in the next releases of 2.7 and 3.5. In the mean time you can work around the bug by reconfiguring your ES cluster and application. You have to use different certs for node <-> client and node <-> node communication. OID 1.2.3.4.5.5 should only be in the cluster communication certs. https://github.com/floragunncom/search-guard-docs/blob/1a35ec309661f7b8fb1efc2586fc298dcb7cb139/installation.md#generating-a-server-certificate |
|||
| msg276571 - (view) | Author: Matt Wright (Matt Wright) | Date: 2016-09-15 16:02 | |
Ahh! Thanks much! |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2016-09-15 16:02:41 | Matt Wright | set | messages: + msg276571 |
| 2016-09-15 15:54:28 | christian.heimes | set | status: open -> closed superseder: X509 cert with GEN_RID subject alt name causes SytemError messages: + msg276570 resolution: duplicate stage: resolved |
| 2016-09-15 15:47:27 | Matt Wright | create | |