planemo
planemo copied to clipboard
galaxyproject
no option to bypass ssl certificate : "certificate verify failed"
I'm using planemo to test some workflow on a galaxy instance.
I have no problems on a certified site (SSL certificate) but when I'm trying on a self-signed certified url, I'm having this error:
requests.exceptions.SSLError: HTTPSConnectionPool(host='usegalaxy.ifb.local', port=443): Max retries exceeded with url: /api/workflows/upload?key=81c3b3... (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)'),))
Which is fine since it is not a valid SSL certificate. My question is: What can I do to bypass this SSL certificate check ?
I added my self-signed SSL certificate locally with dpkg-reconfigure ca-certificates but still got the same error.
Is there something I can do to use planemo on an instance with a self-signed SSL certificate ?
Hello
I will submit a PR for this today I think
I had the same problem, I was sending all my tests on the production server (which deserve a "real" certificte).
It works now, I've had a --trust option.
ok, I need to upgrade python from 3.5 to something above 3.6
and then I will need to submit a PR for galaxy as well, as most of the magic deals with interactor.py which is now in galaxy/tool_util/verify/interactor.py
@davidchristiany @FredericBGA Can you try to install on your machine the CA certificate used to sign the SSL certificate and run the planemo test after executing export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt , as explained in https://stackoverflow.com/questions/42982143/python-requests-how-to-use-system-ca-certificates-debian-ubuntu ?
@nsoranzo @davidchristiany It seems to work. My server is a Red Hat. So I have work in /etc/pki/tls/certs and the export is REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.trust.crt
Thank you @nsoranzo. Few months ago, I have tried keytool -importcert -keystore /etc/pki/cacerts -file myCERT -storepass changeit without any sucess.
@FredericBGA Cool, happy it works! Should we close the various open issues and PRs? Or would you still like to have the PRs merged?
@nsoranzo it's up to you! Maybe the option in command line is fine if you can not have a root access and modify the trusted certificate? But it will not solve https://github.com/galaxyproject/galaxy/issues/9629 So if we can't find a way with the previous issue, I can close the PRs and the issue.
Sorry for the delay, I created /etc/ssl/certs/ca-certificates.crt and copy a certificate in it.
I then export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
But I still got the same error when running planemo test:
requests.exceptions.SSLError: HTTPSConnectionPool(host='usegalaxy.ifb.local', port=443): Max retries exceeded with url: /api/workflows/upload?key=74803a7f81ccfcb1663cffc17e7a3a17 (Caused by SSLError(SSLError(1, u'[SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590)'),))
This is a nginx SSL Self-signed Certificate
@davidchristiany Can you try with curl? Something like: curl --cacert /etc/ssl/certs/ca-certificates.crt https://usegalaxy.ifb.local. And maybe with the -v option.
You should get an HTML answer:
<html>
<head>
<title>302 Found</title>
</head>
<body>
<h1>302 Found</h1>
The resource was found at <a href="https://galaxydev/root/login?redirect=%2F">https://galaxydev/root/login?redirect=%2F</a>;
you should be redirected automatically.
</body>
</html>
* Rebuilt URL to: https://usegalaxy.ifb.local/
* Trying 192.168.103.105...
* TCP_NODELAY set
* Connected to usegalaxy.ifb.local (192.168.103.105) port 443 (#0)
* SSL: certificate verification failed (result: 5)
* Closing connection 0
curl: (51) SSL: certificate verification failed (result: 5)
I am supposed to put /etc/ssl/certs/ca-certificates.crt locally right ?
@davidchristiany For RedHat/Centos it's a different file, see https://stackoverflow.com/questions/37043442/how-to-add-certificate-authority-file-in-centos-7 for how to add your CA.
Then use export REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt instead.