Issue28170
Created on 2016-09-15 15:47 by Matt Wright, last changed 2016-09-15 16:02 by Matt Wright. This issue is now closed.
Messages (3) | |||
---|---|---|---|
msg276567 - (view) | Author: Matt Wright (Matt Wright) | Date: 2016-09-15 15:47 | |
I'm experiencing a strange error when connecting to a web server with a self signed certificate. I've added the Root and Intermediate certs to the system CA bundle, and can `curl` against the server without any errors or using the `k` flag. But Python (via requests) raises an error that I can't seem to figure out at all with the `peer_certificate` method. Below you'll find the specific error: ``` import requests requests.get('https://localhost:9200/_cluster/health', verify='/etc/ssl/certs/ca-certificates.crt') Traceback (most recent call last): File "test.py", line 2, in <module> requests.get('https://localhost:9200/_cluster/health', verify='/etc/ssl/certs/ca-certificates.crt') File "/usr/lib/python3/dist-packages/requests/api.py", line 67, in get return request('get', url, params=params, **kwargs) File "/usr/lib/python3/dist-packages/requests/api.py", line 53, in request return session.request(method=method, url=url, **kwargs) File "/usr/lib/python3/dist-packages/requests/sessions.py", line 468, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python3/dist-packages/requests/sessions.py", line 576, in send r = adapter.send(request, **kwargs) File "/usr/lib/python3/dist-packages/requests/adapters.py", line 376, in send timeout=timeout File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 560, in urlopen body=body, headers=headers) File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request self._validate_conn(conn) File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 787, in _validate_conn conn.connect() File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 259, in connect cert = self.sock.getpeercert() File "/usr/lib/python3.5/ssl.py", line 818, in getpeercert return self._sslobj.getpeercert(binary_form) File "/usr/lib/python3.5/ssl.py", line 595, in getpeercert return self._sslobj.peer_certificate(binary_form) SystemError: <built-in method peer_certificate of _ssl._SSLSocket object at 0x7f98ac154858> returned NULL without setting an error ``` |
|||
msg276570 - (view) | Author: Christian Heimes (christian.heimes) * ![]() |
Date: 2016-09-15 15:54 | |
Do you happen to talk to an ElasticSearch cluster with a GEN_RID in the subject alternative name field? It's a known bug in Python's ssl code. The fix #27691 will be in the next releases of 2.7 and 3.5. In the mean time you can work around the bug by reconfiguring your ES cluster and application. You have to use different certs for node <-> client and node <-> node communication. OID 1.2.3.4.5.5 should only be in the cluster communication certs. https://github.com/floragunncom/search-guard-docs/blob/1a35ec309661f7b8fb1efc2586fc298dcb7cb139/installation.md#generating-a-server-certificate |
|||
msg276571 - (view) | Author: Matt Wright (Matt Wright) | Date: 2016-09-15 16:02 | |
Ahh! Thanks much! |
History | |||
---|---|---|---|
Date | User | Action | Args |
2016-09-15 16:02:41 | Matt Wright | set | messages: + msg276571 |
2016-09-15 15:54:28 | christian.heimes | set | status: open -> closed superseder: X509 cert with GEN_RID subject alt name causes SytemError messages: + msg276570 resolution: duplicate stage: resolved |
2016-09-15 15:47:27 | Matt Wright | create |