Issues with the certificate when downloading from the Sentinel Hub

[h4k1m0u]

Hi,

First of all, thanks for this helpful module.

I experienced an error with the certificate when trying to download a specific product from the Sentinel Hub.

Here is the command I entered in the shell followed by the error I got:

$ ~/Scripts/sentinelsat $ sentinel download <user> <password> 5c9746a6-4cac-4344-a86c-8873c487448a
Downloading 5c9746a6-4cac-4344-a86c-8873c487448a to ./S1A_IW_GRDH_1SDV_20150819T171924_20150819T171949_007335_00A129_A1AC.zip
Traceback (most recent call last):
File "/usr/local/bin/sentinel", line 9, in <module>
load_entry_point('sentinelsat==0.3', 'console_scripts', 'sentinel')()
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 700, in __call__
return self.main(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 680, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 1027, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 873, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 508, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/sentinelsat/scripts/cli.py", line 58, in download
api.download(productid, path)
File "/usr/local/lib/python2.7/dist-packages/sentinelsat/sentinel.py", line 110, in download
download(product['url'], path=path, session=self.session)
File "/usr/local/lib/python2.7/dist-packages/homura.py", line 255, in download
hm.start()
File "/usr/local/lib/python2.7/dist-packages/homura.py", line 179, in start
raise e
pycurl.error: (60, 'server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none')

The only way to get rid of this error was to open the homura module > homura.py file > Homura::curl() method and make curl not verify the certificate of Sentinel Hub server (which is not very secure as the download operation will prone be to a man in the middle attack):

# h4k1m: don't check server certificate
c.setopt(pycurl.SSL_VERIFYPEER, 0)                                                                      
c.setopt(pycurl.SSL_VERIFYHOST, 0) 

Did you encounter this error before? and what's a more efficient way to resolve it?
Thanks.

[willemarcel]

Hi @h4k1m0u,

I've never found this error before, but I had some problems with pycurl when running it on Fedora, because some OS dependencies were not installed by default.

[h4k1m0u]

Hi @willemarcel,

I will check if they have a certificate (for Sentinel Hub), otherwise I need to test the script on other systems to check if it's really caused by the curl library.

Which OS dependencies did you install?

[willemarcel]

In Fedora I installed gnutls

[h4k1m0u]

I installed gnutls (gnutls-3.3.9) on ubuntu following the guide in: http://www.bauer-power.net/2014/06/how-to-install-gnutls-3123-from-source.html

It's still not working, but since it worked for you I guess the issue is related to the OS installation not the Sentinel Hub.

[h4k1m0u]

btw, I have no issue with the certificate when I download with curl command:

curl -vOu username:password "https://scihub.esa.int/dhus/odata/v1/Products('5bf223e1-214f-4da9-abe2-8960de28aff0')/\$value"

You could see from the output of the curl command that the certificate from ESA-Italy is well recognized.

[kr-stn]

I encountered the exact same error. It was caused by missing dependencies from the homura package.

As per the homura documentation I solved my issue on Ubuntu 14.04 with the following commands:

$ sudo apt-get install libcurl4-openssl-dev python-dev
$ sudo pip install -U pycurl urllib homura

[ghost]

On windows, I get a related error: pycurl.error: (60, 'SSL certificate problem: self signed certificate in certificate chain'). I could not fix it using the release of homura currently on pypi (v. 0.1.1) but homura/master now has a pass_through_opts keyword to the download method. With it, this library could allow passing the required CA certificates path through homura to pycurl.