s4cmd icon indicating copy to clipboard operation
s4cmd copied to clipboard

Published 20 hours ago verified publisher icon bloomreach

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

Open zelentsovl opened this issue 7 years ago • 3 comments

Hello, On CentOS 7.3 on attempt of any action getting: [Exception] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) [Thread Failure] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

zelentsovl avatar Oct 30 '17 14:10 zelentsovl

Can you please give a sample command which generates this? I am unable to reproduce this (though admittedly, I'm not running a CentOS system).

Which version of Python are you running? This might be a python 3 issue.

https://stackoverflow.com/questions/27835619/urllib-and-ssl-certificate-verify-failed-error lists a couple ways to get past the issue including setting the PYTHONHTTPSVERIFY=0 as an env variable as a temporary fix, but obviously we'd prefer to fix the root issue instead.

navinpai avatar May 21 '18 17:05 navinpai

I was also having this problem when using an S3 compatible system that has a certificate signed by a custom CA. I had already configured my centos:7.5.1804 to trust that CA using update-ca-trust. Both curl and java connect fine to the https endpoint.

Unfortunately python / requests does not use the operating system's CA bundle, by design: https://github.com/requests/requests/issues/2966 (omg).

Anyway just set the below REQUESTS_CA_BUNDLE environment variable.

# Centos/RHEL 7
test -z "${EXTRA_CA}" || { echo "${EXTRA_CA}" > /etc/pki/ca-trust/source/anchors/ca.cer && update-ca-trust || exit $? ; }
export REQUESTS_CA_BUNDLE=/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

# Ubuntu / Debian(?)
test -z "${EXTRA_CA}" || { echo "${EXTRA_CA}" > /usr/local/share/ca-certificates/ca.crt && update-ca-certificates || exit $? ; }
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

# Now this should work if curl https://s3compatible.example.test validates
s4cmd --endpoint-url https://s3compatible.example.test mb s3://mybucket

jamshid avatar Jul 22 '18 04:07 jamshid

@zelentsovl Does this work for you? If it does, I'll go ahead and close this issue

@jamshid That's interesting behaviour... Personally didn't know about this either. Thanks for the solution!

navinpai avatar Aug 16 '18 13:08 navinpai