pykube icon indicating copy to clipboard operation
pykube copied to clipboard

Published 20 hours ago verified publisher icon hjacobs

help(SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)

Open newctech opened this issue 5 years ago • 6 comments

Traceback (most recent call last): File "", line 1, in File "/usr/lib/python3.6/site-packages/pykube/query.py", line 182, in iter return iter(self.query_cache["objects"]) File "/usr/lib/python3.6/site-packages/pykube/query.py", line 172, in query_cache cache["response"] = self.execute().json() File "/usr/lib/python3.6/site-packages/pykube/query.py", line 148, in execute r = self.api.get(**kwargs) File "/usr/lib/python3.6/site-packages/pykube/http.py", line 269, in get return self.session.get(*args, **self.get_kwargs(**kwargs)) File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 546, in get return self.request('GET', url, **kwargs) File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 533, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 646, in send r = adapter.send(request, **kwargs) File "/usr/lib/python3.6/site-packages/pykube/http.py", line 135, in send response = self._do_send(request, **kwargs) File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 514, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='39.107.214.209', port=6443): Max retries exceeded with url: /api/v1/namespaces/default/pods (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

newctech avatar Aug 20 '19 06:08 newctech

Can you tell us a bit more about your setup? What is your configuration to connect to the cluster (KubeConfig I suppose)?

hjacobs avatar Aug 20 '19 07:08 hjacobs

Running into the same problem when running in cluster using a service account: libssl rejects the API server's certificate for a reason I haven't figured out yet. On the other hand, in the same pod, kubectl just works flawlessly with the given certificate chain / service account.

Maybe openssl s_client -showcerts -connect $KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT -CAfile /run/secrets/kubernetes.io/serviceaccount/ca.crt gives some insights.

twz123 avatar Sep 03 '19 12:09 twz123

@twz123 Recently have the same issue with service account and self-signed certificates, but with older version of pykube==0.15.0 and requests==2.22.0. The problem was with how the pykube makes a request.Session: in requests==2.22.0 Session() object, by default, have a parameter trust_env = True, which force any request to use only environment certificates which break everything (even when you specify verify parameter in Session()). Mb it will lead you to something useful.

korcky avatar Oct 11 '19 17:10 korcky

I recently had a similar issue when trying out 'kube-web-view', and ended up editing session.verify to be False all over the codebase, which got it working.

zoidyzoidzoid avatar Nov 01 '19 12:11 zoidyzoidzoid

@korcky @zoidbergwill do you mind doing a PR with a proper fix?

hjacobs avatar Nov 01 '19 15:11 hjacobs

I could try on this weekends, but I doesn't quite familiar with this version of pykube (only worked with previous version that archived by now)

korcky avatar Nov 01 '19 16:11 korcky