cablehead
Passing cert parameter gives SSL error
when using client certificate downloaded as part of client config zip file from hashicorp cloud console and passing the same to consul give error
host="consul-cluster.consul.AAAAAAAA.aws.hashicorp.cloud" token="XXXXXX" scheme="https" port="443" verify=True cert="/home/r2_user1/Downloads/consul/ca.pem"
print("consul host is ", host, token, port, scheme) cc:consul.Consul=consul.Consul(host=host,token=token,port=port,scheme=scheme,cert=cert) cc.kv.put('foo', 'bar')
Below is SSL error encounted , without the certs parameter the calls work properly
consul host is consul-cluster.consul.AAAAA.aws.hashicorp.cloud 69d69bed-f849-947d-f75c-a1edc16468e1 443 https taking a lock <consul.std.Consul object at 0x7f8de4782950> Traceback (most recent call last): File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/urllib3/connectionpool.py", line 706, in urlopen chunked=chunked, File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/urllib3/connectionpool.py", line 382, in _make_request self._validate_conn(conn) File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/urllib3/connectionpool.py", line 1010, in validate_conn conn.connect() File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/urllib3/connection.py", line 421, in connect tls_in_tls=tls_in_tls, File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/urllib3/util/ssl.py", line 397, in ssl_wrap_socket context.load_cert_chain(certfile, keyfile) ssl.SSLError: [SSL] PEM lib (_ssl.c:3932)
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/requests/adapters.py", line 449, in send timeout=timeout File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/urllib3/connectionpool.py", line 756, in urlopen method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2] File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/urllib3/util/retry.py", line 574, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='consul-cluster.consul.AAAAAAAA.aws.hashicorp.cloud', port=443): Max retries exceeded with url: /v1/kv/foo?token=XXXXXXXXXX (Caused by SSLError(SSLError(9, '[SSL] PEM lib (_ssl.c:3932)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "../consul_lib/test_consul.py", line 27, in
Can confirm that I am seeing the same thing. Setting verify to False in the client configuration does resolve the issue - so it's something related to validating the CA. I have everything configured through environment variables and the consul CLI tool can interact with the cluster with no problems so this issue is somewhere on the Python side.
Dug through a ton of code/documentation since I was having issues not only with this library but also with the community Ansible module since it relies on it. In my case the problem was the verify parameter wants the path to the public CA certificate for validation. I was confused by this initially because the Ansible module passes True as the default value which made me assume this was a boolean parameter.
Once I set verify to the path to the CA certificate I was able to use the library as normal.
I filed a bug to fix the Ansible documentation. The documentation for this library isn't any better - it seems there needs to be two parameters: one that actually determines if validation is performed and one that specifies the certificate to use for validation. It would also be helpful to use the default CONSUL_CACERT environment variable as it appears that's not currently the case.