New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
winrepo - SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed #27081
Comments
I may have assumed too much. ;-( Now that I have changed the Ok so here is an even fuller
|
Can't download files from S3 - This is currently a breaking issue for us. |
Might have to do this #25440 |
@twangboy, I agree that it is likley linked to the python veriosn in use. BUT, I have changed the installer URL for the I would call this a bug if the winrepo downloader even tries to do a SSL server certificate check on a simple non secure |
@krak3n how do you get to your S3 downloads? what is the URL you use? Is there any web redirect (302) involved as well? you could do a |
@TheBigBear my state was basically this: /foo.jpg:
file.managed:
- source: https://s3-eu-west-1.amazonaws.com/public.bucket/foo.jpg This threw the SSL error, but In end end I gave up and did a |
@twangboy, ok, so I created (just for proof of concept testing) a windows salt minion devel ver. actually using python 2.7.10 (was only a two line chg in the The way I quickly checked this is by running a
Full versions report is:
And if I run same cmd line against a standard official windows minion built on python ver 2.7.8 I get the SSL error:
But @twangboy and @terminalmage ^^ why on earth is the saltutil
saltutil's |
The current python (ver. 2.7.8) based winrepo downloader fails on
https
sites that requireSNI
(server name indication) support the current version of python used does not, but allegedly this is resolved inpython >= 2.7.9
.The error is:
salt 'uk-it-20' pkg.install pdf24creator
which tries downloading
https://en.pdf24.org/products/pdf-creator/download/pdf24-creator-7.2.0.msi
fails.The site
en.pdf24.org
(85.25.111.198) requiring SNI support has nothing much wrong with it's SSL setup, so the winrepo downloader should not complain.As a
temporary
work-around I will drop the 's' from 'https' winrepo installer URLs, for those pkgs that require this, and do have a non https link, but this is sub-optimal from a security perspective for an installer.PPS: I have read in other places that the SSL SNI (and other) improvements have not been entirely satisfactory in
python 2.7.9
, but are improved upon - again- in the current releasepython 2.7.10
.So IF nothing else is holding us back it would be great if the python basis for the windows salt minion installer (and hence also the winrepo downloader? does that follow? - or is it going to depend on the python version running on the master?) could be bumpd up to
>= python 2.7.10
.The text was updated successfully, but these errors were encountered: