Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using a self-signed certificate with intake #747

Open
rsignell-usgs opened this issue May 31, 2023 · 4 comments
Open

Using a self-signed certificate with intake #747

rsignell-usgs opened this issue May 31, 2023 · 4 comments

Comments

@rsignell-usgs
Copy link
Contributor

rsignell-usgs commented May 31, 2023

I'm a visiting scientist at an organization that uses a self-signed certificate.

col = intake.open_esm_datastore("https://cmip6-pds.s3.amazonaws.com/pangeo-cmip6.json",)

is failing in aiohttp/connector.py with

ClientConnectorError: Cannot connect to host cmip6-pds.s3.amazonaws.com:443 ssl:default [Connection reset by peer]

I'm able to set up a connection with

import ssl
import aiohttp

CA_BUNDLE="/etc/pki/tls/certs/ca-bundle.crt"
PEM_PUB="/home/la.signell/PA-RootCA-Cert-2023-Pub.pem"

ssl_ctx = ssl.create_default_context(cafile=CA_BUNDLE)
ssl_ctx.load_verify_locations(PEM_PUB)

We know this certificate works because we told Firefox to trust it and then it can open the catalog.

But how do we communicate this to Intake?

@martindurant
Copy link
Member

You can apparently use the AWS_CA_BUNDLE environment variable to point to the crt, https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html#environment-variable-configuration also available as ca_bundle= which I think goes in client_kwargs.

I'm not sure you need the PEM, I see no mention of it.

@martindurant
Copy link
Member

Sorry, sorry - you are using the HTTP endpoint.
Apparently the aiohttp takes ssl= as the kwarg. intake-esm seems to take storage_options which I assume are passed straight to aiohttp, so maybe

col = intake.open_esm_datastore("https://cmip6-pds.s3.amazonaws.com/pangeo-cmip6.json", storage_options={"ssl": ssl_ctx})

@rsignell-usgs
Copy link
Contributor Author

That gave me a type error -- but seems like it should be something like that. I'll raise the issue on the intake-esm repo, as perhaps @mgrover1 or others there have experienced something like this.

@mgrover1
Copy link

I have not seen this yet... but yeah! Go ahead and open an issue @rsignell-usgs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants