SSL: CERTIFICATE_VERIFY_FAILED

[ThePinkOne]

Hi,

I am using the latest image and the synchronization doesn't work. This is the command seaf-cli sync -l my_lib_id -s https://my_url -d /my_data -u my_username@home and I get this error

  File "/usr/lib/python3.9/urllib/request.py", line 1346, in do_open
    h.request(req.get_method(), req.selector, req.data, headers,
  File "/usr/lib/python3.9/http/client.py", line 1255, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib/python3.9/http/client.py", line 1301, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.9/http/client.py", line 1250, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.9/http/client.py", line 1010, in _send_output
    self.send(msg)
  File "/usr/lib/python3.9/http/client.py", line 950, in send
    self.connect()
  File "/usr/lib/python3.9/http/client.py", line 1424, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "/usr/lib/python3.9/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.9/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/seaf-cli", line 1023, in <module>
    main()
  File "/usr/bin/seaf-cli", line 1019, in main
    args.func(args)
  File "/usr/bin/seaf-cli", line 675, in seaf_sync
    token = get_token(url, username, password, tfa, conf_dir)
  File "/usr/bin/seaf-cli", line 301, in get_token
    token_json = urlopen("%s/api2/auth-token/" % url, data=data, headers=headers)
  File "/usr/bin/seaf-cli", line 234, in urlopen
    resp = urllib.request.urlopen(req)
  File "/usr/lib/python3.9/urllib/request.py", line 214, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python3.9/urllib/request.py", line 517, in open
    response = self._open(req, data)
  File "/usr/lib/python3.9/urllib/request.py", line 534, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
  File "/usr/lib/python3.9/urllib/request.py", line 494, in _call_chain
    result = func(*args)
  File "/usr/lib/python3.9/urllib/request.py", line 1389, in https_open
    return self.do_open(http.client.HTTPSConnection, req,
  File "/usr/lib/python3.9/urllib/request.py", line 1349, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)>

and I also tried to use seaf-cli config -k disable_verify_certificate -v true but I think that this setting is not adopted. Is there a config in which I can check the settings?

[Gronis]

Are you using a self-signed certificate? Using LAN domain names (home in this case) will have an untrusted root certificate. I guess I can add an option to disable certificate validation if it is supported by seaf-cli, but a real solution for you would be to trust your certificate.

This is currently not supported.

[ThePinkOne]

Thank you for your answer. The seaf-cli offers this disable_verify_certificate option. It would be perfect if you could add this option.

I'm not very familiar with the network structure of our company or how the certificate handling works exactly. I only know that the Seafile desktop clients also use the function to disable certificates verification to work properly. That's why I wanted to use it for seaf-cli as well.

So it would help me a lot if the command also works in the container.

[Gronis]

Ok, I've just pushed a version with support. I'm unsure if it works properly because I don't have a self-signed setup to test on. Please test it out and report back here so I can close this issue if it works properly.

[ThePinkOne]

Thank you for your help. It's working now :-)

[Gronis]

Great!