CLNRest: certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)

[BTCBellyButton]

Issue and Steps to Reproduce

I am experimenting with the new clnrest plugin in CLN version 28.11.
The simple 1st goal is to connect to my node (@ 10.0.0.25) from a different machine (@10.0.0.21) on my LAN. The port 3010 is open on the CLN machine.

Not really an expert here so I probably messed up somewhere...
Anyway.

In my configuration file I have:

#Plugins
clnrest-port=3010
clnrest-host=0.0.0.0
clnrest-certs=/home/go/.lightning
#disable-plugin=clnrest.py
plugin=/home/go/c-lightning-REST/clrest.js
rest-port=3001

Log after restarting via systemctl:

2023-12-12T21:35:14.454Z INFO    lightningd: 23.11
2023-12-12T21:35:20.928Z INFO    plugin-bcli: bitcoin-cli initialized and connected to bitcoind.
2023-12-12T21:35:31.255Z INFO    plugin-circular: node.go:111 setOptions: initializing node
2023-12-12T21:35:31.331Z INFO    plugin-clnrest.py: REST server running at https://0.0.0.0:3010
2023-12-12T21:35:32.084Z UNUSUAL plugin-clrest.js: --- Starting the cl-rest server ---
2023-12-12T21:35:32.108Z UNUSUAL plugin-clrest.js: --- cl-rest api server is ready and listening on :::3001 ---
2023-12-12T21:35:32.108Z UNUSUAL plugin-clrest.js: --- cl-rest doc server is ready and listening on :::4001 ---
2023-12-12T21:35:33.179Z INFO    plugin-circular: file.go:41 LoadGraphFromFile: graph loaded successfully
2023-12-12T21:35:33.179Z INFO    plugin-circular: cron.go:46 refreshGraph: refreshing graph
2023-12-12T21:35:38.800Z INFO    plugin-circular: cron.go:74 refreshGraph: graph has been refreshed
2023-12-12T21:35:43.182Z INFO    plugin-circular: node.go:92 Init: node initialized
2023-12-12T21:35:43.182Z INFO    plugin-circular: 16:35:43 main.go:39: circular successfully init'd!
2023-12-12T21:35:43.183Z INFO    lightningd: --------------------------------------------------
2023-12-12T21:35:43.183Z INFO    lightningd: Server started with public key 0228cc784d015731cc0c5dc2163c8bb856f59feb3234ce813edeccf2e26733c32d, alias BBB (color #8ff0a4) and lightningd 23.11

I created a ReadOnly Rune and plugged it in the python example from here https://docs.corelightning.org/docs/rest#python.

But I got this error:

Traceback (most recent call last):
  File "/home/go/Dev/python/CLNA-qt/test/SocketRESTtest.py", line 27, in <module>
    sio.connect('https://10.0.0.25:3010')
  File "/home/go/Dev/python/CLNA-qt/lib/python3.10/site-packages/socketio/client.py", line 338, in connect
    raise exceptions.ConnectionError(exc.args[0]) from None
socketio.exceptions.ConnectionError: HTTPSConnectionPool(host='10.0.0.25', port=3010): Max retries exceeded with url: /socket.io/?transport=polling&EIO=4&t=1702417422.7797441 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)')))

The certificates were apparently correctly created in the directory specified in the config file.

So what am I doing wrong?

[tonyaldon]

Maybe you can try to disable server certificate verification with the following line

http_session.verify = False

In the example of the documentation it is set to True.

I think you can also set it to the full path to your certificate (/path-to/ca.pem).

You can find more information here:

https://python-socketio.readthedocs.io/en/latest/client.html

If you want to give a try to a JS client you can check the first section in this live session we did in September:

https://lnroom.live/2023-09-14-live-0013-getting-started-with-clnrest-plugin/

[BTCBellyButton]

Thanks! I'll give it a try.

[BTCBellyButton]

The change to False of the .verify flag worked. After that I realized my virtual environment was missing websocket-client.
Now it works.

I also tried specifying the full path to ca.pem but that caused the server to refuse the connection:

HTTPSConnectionPool(host='10.0.0.25', port=3010): Max retries exceeded with url: /socket.io/?transport=polling&EIO=4&t=1702596534.9846961 (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f4f52b0ba60>: Failed to establish a new connection: [Errno 111] Connection refused'))

Once removed the ca.pem part, it worked again.

Thanks!!