Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New SSL Issue #14

Closed
eahrold opened this issue Dec 2, 2014 · 17 comments
Closed

New SSL Issue #14

eahrold opened this issue Dec 2, 2014 · 17 comments

Comments

@eahrold
Copy link
Contributor

eahrold commented Dec 2, 2014

I too started seeing this error
We're using a JAMF cloud hosted DP.

Traceback (most recent call last):
  File "/usr/local/bin/autopkg", line 1334, in <module>
    sys.exit(main(sys.argv))
  File "/usr/local/bin/autopkg", line 1328, in main
    exit(subcommands[verb]['function'](argv))
  File "/usr/local/bin/autopkg", line 1152, in run_recipes
    autopackager.process(recipe)
  File "/Library/AutoPkg/autopkglib/__init__.py", line 466, in process
    self.env = processor.process()
  File "/Library/AutoPkg/autopkglib/__init__.py", line 295, in process
    self.main()
  File "/Library/AutoPkg/autopkglib/JSSImporter.py", line 576, in main
    ssl_verify=sslVerify, repo_prefs=repos)
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/jss.py", line 169, in __init__
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/distribution_points.py", line 85, in __init__
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/jss.py", line 317, in DistributionPoint
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/jss.py", line 454, in get_object
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/jss.py", line 196, in get
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/contrib/requests/sessions.py", line 469, in get
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/contrib/requests/sessions.py", line 457, in request
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/contrib/requests/sessions.py", line 569, in send
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/contrib/requests/adapters.py", line 420, in send
jss.contrib.requests.exceptions.SSLError: [Errno 185090050] _ssl.c:340: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

Strange thing is that I have no problem creating a JSS object from the cli, or pulling info there.

I'll start digging in and see if I can find the culprit.
@eahrold
Copy link
Contributor Author

eahrold commented Dec 2, 2014

UPDATE:
Even though the server has a trusted SSL certificate. The error goes away if I disable certificate verification.

defaults write com.github.autopkg JSS_VERIFY_SSL -bool false

A possible red-flag is that the SSL certificate is a wildcard *.jamfcloud.com and I've definitely seen issues (though completely unrelated) with those before.

This was referenced Dec 2, 2014
Closed
Closed
@eahrold
Copy link
Contributor Author

eahrold commented Dec 2, 2014

One more update.
I just realized it was working fine earlier today via the cli, but I was using the 0.4.2 release.
I ran the pkg installer and now I'm on 0.4.3 (python-jss), and now the issue is there via cli too.
setting verify_ssl=False resolves it.

@sheagcraig
Copy link
Collaborator

I imagine the verify_ssl being set to be off should solve SSL errors, but that's not really a good solution ;)

I just did a quick diff on both jss-autopkg-addon and python-jss and I don't see anything that would indicate an obvious regression. In fact, the code is only slightly different!

So just taking a stab at googling around, there's this:

https://github.com/kennethreitz/requests/issues/557

which is the same error.

I did this:

[517][craigs-imac]:~/Developer/python-jss (testing)$ python
Python 2.7.7 (v2.7.7:f89216059edf, May 31 2014, 12:53:48) 
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import certifi
>>> certifi.where()
'/Library/Python/2.7/site-packages/certifi/cacert.pem'

Why that would have changed or be missing I couldn't tell you. But the first thing I would do would be to ensure that /Library/Python/2.7/site-packages/certifi/cacert.pem exists and is readable.

@sheagcraig
Copy link
Collaborator

I wonder if it's because I'm using easy_install and an egg to install python-jss. It looks like the certifi package isn't needed any more in requests. Maybe the egg is missing the cacert.pem that comes with requests?

@eahrold
Copy link
Contributor Author

eahrold commented Dec 2, 2014

Yeah, I don't have a certifi module installed in the 2.7 site-package.
I do have the cacert.pem in the contrib/requests and it is readable

@eahrold
Copy link
Contributor Author

eahrold commented Dec 2, 2014

And actually I retract that I was using 0.4.2, it may have been I hadn't updated the requests part of the python-jss, and was still working off my fork, with an older version of requests. I'll try and roll back to see If I can figure it out.

@sheagcraig
Copy link
Collaborator

I'm still trying to figure out how to check for the cacert.pem in requests, since it's all packaged up in an egg.

@sheagcraig
Copy link
Collaborator

Yep. I can make it fail with the missing certs error on a clean machine. I've explicitly included the cacert.pem in the setup.py file that creates the egg, but it's not working correctly, probably because requests expects it to be accessible through the filesystem...

@eahrold
Copy link
Contributor Author

eahrold commented Dec 2, 2014

And I had just pulled the python-jss changes from master, and not installed via the egg until earlier today, so that somewhat equates. In fact I had the git repo symlinked into the site-package, and it's probable that's what I was running off of.

@sheagcraig
Copy link
Collaborator

I uninstalled the python-jss egg and then reinstalled it unzipped a la

pip uninstall python-jss
easy_install -UZ python-jss

and then I don't get the above error.

Of course, then I get the sslv3 alert handshake failure.

@eahrold
Copy link
Contributor Author

eahrold commented Dec 2, 2014

Jeeze, can't win.

@eahrold
Copy link
Contributor Author

eahrold commented Dec 2, 2014

Yep, that's working for me too, and now at 0.4.3.

@sheagcraig
Copy link
Collaborator

But... that was because I was trying on a JSS 9.6.1 server, which is probably the SSL being disabled issue #9

Indeed, it works fine connecting to a non-9.6.1 server.

So I'll make the change to the installer package and release a new version just so no one misses it.

And then we will hope that @ocoda comes up with a solution for the new requests.

@sheagcraig
Copy link
Collaborator

@eahrold Done. New installer up for the current release. See if it solves the issue for the AutoPkgr issue users. Don't have time to do another release this afternoon.

@eahrold
Copy link
Contributor Author

eahrold commented Dec 2, 2014

@sheagcraig, thanks a bunch. It's working.

@eahrold eahrold closed this as completed Dec 2, 2014
@systemheld
Copy link

hey @sheagcraig !
well, the latest version of urllib3 (1.9.1) is from September 19th, while the fix to detect the correct SSL/TLS version is from October 30th. (see: urllib3/urllib3@523860e).
Yesterday a new version of requests (2.5: https://github.com/kennethreitz/requests/releases/tag/v2.5.0) was released which include a snapshot version of urllib3 with the fix we need.

Looks like our problems self solved themselves :-)

@sheagcraig
Copy link
Collaborator

That's awesome. I'll put together new releases with that. It will solve some other issues and mistakes too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sheagcraig @eahrold @systemheld