-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSLCertVerificationError on trying to get_certificate using aiohttp python package #34244
Comments
Thank you for the feedback @gsrikant7 . We will investigate and get back to you asap. |
Hi @gsrikant7, thank you for the details. When you say that the same code works when running locally on Windows, are you making requests to the same Key Vault as the vault being used in AKS, If you still see the same behavior, it's possible that the AKS cluster needs to update its certificates. I'm not familiar enough with AKS to give advice, but I did find this documentation that could be useful: https://learn.microsoft.com/azure/aks/certificate-rotation |
Hi @gsrikant7. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
@mccoyp Thanks for the quick turnaround. Yes, we are making calls to the same KV (same as the one used in AKS). We will test it with the synchronous Can you please also let us know what is the value for This will help in understanding SSL verification prior to |
Hi @gsrikant7, thank you for your response -- please do update us when you try the synchronous client. My suspicion is that the AKS cluster has a client-side certificate issue that was being hidden by The value of The synchronous client will be unaffected by the state of |
Hi @gsrikant7. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
Hi @gsrikant7, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you! |
Hi @mccoyp. Apologies for the delay in reply. We have now tried the synchronous This means that the issue is not with azure resource SDKs that we are using to connect to specific azure resources - but with So, we tried fixing the version of This leads us to believe that |
@gsrikant7 Do you happen to remember the azure-core version when you moved from using aiohttp==3.9.0 to aiohttp==3.9.2 and the issue started to happen? |
Hi @gsrikant7. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
@xiangyan99 When we moved to use But we also tested it with |
Hi @gsrikant7, thank you for the information. It would help to determine which package is introducing the issue by trying each combination of "old" and "new" versions for
|
Hi @gsrikant7. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
@mccoyp Please find below the various configurations and their behavior -
Please let me know if you need more information. |
Hi @gsrikant7, thank you for confirming the behavior! Since upgrading The Transport section of Core's client library developer documentation shows some different async transport options. To use from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.certificates.aio import CertificateClient
from azure.core.pipeline.transport import TrioRequestsTransport
credential = DefaultAzureCredential(transport=TrioRequestsTransport())
client = CertificateClient(VAULT_URL, credential, transport=TrioRequestsTransport()) |
Hi @gsrikant7. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
Hi @gsrikant7, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you! |
Hi @mccoyp Apologies for the delay - we were busy with other items. I tried making these changes and found out that the changes are not trivial. Plus The use of a shim will also add performance overhead than the current system. Can you please let us know how to proceed here ? |
@mccoyp Can we also have someone from |
Hi @gsrikant7, I understand that switching your system over to a different transport could take a good amount of work (and a full migration would be necessary, since mixing Is there any reason that pinning your |
Hi, I face the same issue working with Azure key vault (aio) from python. |
Hi @slenin, do you know which versions of |
The aiohttp version is 3.9.0. azure-core==1.29.4, aiohttp==3.9.0 - Works |
@slenin Thanks for reporting. It seems to me the issue you faced was different from the original one. In the original one: The difference between azure-core 1.29.4 & 1.29.5 is we enable ssl cert validation on aiohttp client since 1.29.5. And it seems to me you might not have a valid cert installed hence it failed to connect. To validate it, could you try sync version and see if it works? |
And we already took the original one offline and I am closing the issue. @slenin please feel free to open a new one for your case and link to this one. |
Creating a bug similar to this issue. Please find below the details -
Describe the bug
We are trying to get certificate details using azure-keyvault-certificates:4.7.0 azure SDK that in turn uses aiohttp:3.9.2 as async transport. We are getting this error on an azure K8s cluster. The managed identity that we are using for the pod has Key Vault Certificates Officer IAM role assignment and also has the required access policies. We are getting the following error -
To Reproduce
Steps to reproduce the behavior -
Install azure-identity==1.13.0, azure-keyvault==4.2.0, azure-keyvault-certificates==4.7.0, and aiohttp==3.9.2 / 3.9.3
Expected behavior
get_certificate should return a KeyVaultCertificate object. Instead, we get the above error.
Additional Context
The text was updated successfully, but these errors were encountered: