-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL: CERTIFICATE_VERIFY_FAILED Error #24
Comments
I have some vague recollection of this. I thought that I saw this and then ran the commands that were listed on the bottom of the bigpanda page:
That said, if this is what fixed it for me, I have no idea why. In anyone understands why this works we should add some documentation. If no one understands why it works, but it works, we should still add some documentation. |
This didn't work right out of the box for me locally, but I can debug more.
I had naively assumed that as the README mentions
that it wouldn't matter if the user was on CERN servers or not. Given that it wasn't clear to me that this might be a requirement, I can still open up a PR that adds a snippet on where |
It works fine on my laptop. I don't know what I ever did to make it work though. |
This is great to know though as it is a solid point for me to start debugging! :) @dguest This may be totally irrelevant, but can you tell me what version of |
If you want to bundle up your own ROOT CERT to figure this out temporarily: https://github.com/kratsg/stare#ssl ... however, I'd suggest first running |
On my mac:
on our institute's cluster:
I have no issues running @kratsg didn't you get this working in a docker image at some point? |
I guess it's a bit unfortunate if anyone ends up installing a docker image (which is 10,000 times larger than the The weird thing is that |
This line is needed -- and there is technically LCG middleware (https://github.com/kratsg/dockerimages/blob/master/pandamonium/Dockerfile#L12) -- since you need to download the CA certs in order to "trust CERN". |
Interesting, so I guess the reason it works on my laptop is that I (at some point) installed CERN's root certificate? |
yes |
There's probably enough information to figure out what is the minimum amount of software to get this to work, but as some self notes for later. I can see that
though looking at the EMI
which kinda makes sense with what @kratsg has: https://github.com/kratsg/dockerimages/blob/b346d600671ba342fdce66fe4432930fd1b2ee11/pandamonium/Dockerfile#L8-L9 |
Comments from @kratsg:
|
From @tmaeno (a
(Aside: |
I think there's some confusion about "minimum requirement":
Just to give a basic example, this returns something from the command line on my mac:
|
You apparently have certificates installed on your Mac then as on my machine
same in a Docker image
|
and oddly, this script doesn't work for me:
it throws the same error
|
@matthewfeickert, I see this when I ask curl for more info
|
@dguest Yeah, and inline with @kratsg Docker image I see that the first roadblock that is hit on my machine is the
|
OK, well I have a CERN root certificate installed in my keychain, I'm guessing (but it's a wild guess) that curl is somehow accessing it. And I guess python is (sometimes) also accessing it. There's probably some way to configure this on any machine, but I'd have to learn more about certificates... |
Can you check if |
@kratsg I've already tried this in the past and it fails. As an example again though:
|
Just checked bigpanda's cert chain: https://www.digicert.com/help/ The main reason is because the CERN CA is not a ROOT trusted authority (which is the fundamental issue anyway). In fact, bigpanda didn't switch their certificate yet to Sectigo RSA Organization which CERN switched to about a year or so ago... I'll ping IT. |
As someone commented on the above ticket, the certificate issue seems solved. And when I run |
Yup!
@dguest This means this Issue can get closed and we can move on PR #29! |
If a user clones
pandamonium
and then from the repo runsthey will get the following error:
This can be replicated in the
python:2.7
Docker imageI haven't properly tried to debug this yet, so it maybe some silly dependency on
openssl
that just needs to be specified in the docs.For reference, the
python
Docker images are built on Debian:This doesn't seem to be a Linux issue though, as it also happens with macOS VMs in CI.
The text was updated successfully, but these errors were encountered: