python icon indicating copy to clipboard operation
python copied to clipboard
verified publisher icon docker-library

windowsservercore: urllib SSL errors

Open lazka opened this issue 7 years ago • 16 comments

I can't get SSL to work in the container, any ideas welcome:

docker run -it python:3.7.1-windowsservercore
>>> import urllib.request; urllib.request.urlopen("https://letsencrypt.org/")
Traceback (most recent call last):
  File "C:\Python\lib\urllib\request.py", line 1317, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "C:\Python\lib\http\client.py", line 1229, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "C:\Python\lib\http\client.py", line 1275, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "C:\Python\lib\http\client.py", line 1224, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "C:\Python\lib\http\client.py", line 1016, in _send_output
    self.send(msg)
  File "C:\Python\lib\http\client.py", line 956, in send
    self.connect()
  File "C:\Python\lib\http\client.py", line 1392, in connect
    server_hostname=server_hostname)
  File "C:\Python\lib\ssl.py", line 412, in wrap_socket
    session=session
  File "C:\Python\lib\ssl.py", line 853, in _create
    self.do_handshake()
  File "C:\Python\lib\ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1051)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Python\lib\urllib\request.py", line 222, in urlopen
    return opener.open(url, data, timeout)
  File "C:\Python\lib\urllib\request.py", line 525, in open
    response = self._open(req, data)
  File "C:\Python\lib\urllib\request.py", line 543, in _open
    '_open', req)
  File "C:\Python\lib\urllib\request.py", line 503, in _call_chain
    result = func(*args)
  File "C:\Python\lib\urllib\request.py", line 1360, in https_open
    context=self._context, check_hostname=self._check_hostname)
  File "C:\Python\lib\urllib\request.py", line 1319, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1051)>
>>>

lazka avatar Dec 04 '18 15:12 lazka

I've verified that this is indeed an issue, but I've no idea where to turn to figure out what's going on. :disappointed:

tianon avatar Dec 31 '18 23:12 tianon

Thanks for checking. Yeah, information about this seems sparse.

One workaround (for users) would be to pip install certifi and set the SSL_CERT_FILE env var to the contained cacert.pem

lazka avatar Dec 31 '18 23:12 lazka

As another data point, whether the error drops seems to depend on the site you're trying to hit; for example, doing urllib.request.urlopen("https://bootstrap.pypa.io/get-pip.py"), I do not get an error. :man_shrugging:

tianon avatar Jan 03 '19 01:01 tianon

I have the same issue, maybe this whould be forwarded to the Python people?

mika-fischer avatar Feb 27 '19 14:02 mika-fischer

Has anyone been able to reproduce outside the minimal Docker environment Microsoft provides? The most likely culprit is something the image is missing that a normal install isn't.

(I'm not aware of anyone having filed anything upstream yet, but it's worth a search before doing so.)

tianon avatar Feb 27 '19 14:02 tianon

Well I have the issue also with mcr.microsoft.com/windows which is not so minimal anymore. Not sure what else to test.

I'll have a look and file a bug on the Python tracker.

mika-fischer avatar Feb 27 '19 14:02 mika-fischer

Created https://bugs.python.org/issue36137

mika-fischer avatar Feb 27 '19 14:02 mika-fischer

As a (limited) workaround, maybe this can be added to the images:

certutil -generateSSTFromWU roots.sst && certutil -addstore -f root roots.sst && del roots.sst

But this really needs to be fixed in Python...

mika-fischer avatar Feb 28 '19 06:02 mika-fischer

What is the solution to this.

SnehashishGiri avatar Apr 18 '20 12:04 SnehashishGiri

As a (limited) workaround, maybe this can be added to the images:

certutil -generateSSTFromWU roots.sst && certutil -addstore -f root roots.sst && del roots.sst

But this really needs to be fixed in Python...

I am not getting the solution.Can you please elaborate please.

SnehashishGiri avatar Apr 18 '20 12:04 SnehashishGiri

As a (limited) workaround, maybe this can be added to the images:

certutil -generateSSTFromWU roots.sst && certutil -addstore -f root roots.sst && del roots.sst

But this really needs to be fixed in Python...

How to add this into my docker image.

SnehashishGiri avatar Apr 18 '20 12:04 SnehashishGiri

In your Dockerfile:

RUN certutil -generateSSTFromWU roots.sst && certutil -addstore -f root roots.sst && del roots.sst

tianon avatar Apr 20 '20 18:04 tianon

Looks like the latest on this is in https://bugs.python.org/issue36011 (and that it's still a problem :disappointed:).

tianon avatar Jun 08 '22 18:06 tianon