search

TomBursch / kitchenowl

KitchenOwl is a self-hosted grocery list and recipe manager. The backend is made with Flask and the frontend with Flutter. Easily add items to your shopping list before you go shopping. You can also create recipes and add items based on what you want to cook.
https://kitchenowl.org/
GNU Affero General Public License v3.0
1.33k stars 78 forks source link

Bug: SSL error when attempting to import from recipes.instantpot.com #198

Open SeeJayEmm opened 1 year ago

SeeJayEmm commented 1 year ago

Is this urgent?

No

What parts are affected

Backend

What are the Server/Client versions of KitchenOwl

v0.4.6(77) | Server v72

What's the problem 🤔

Trying to import the recipe on https://recipes.instantpot.com/recipe/chicken-tikka-masala/ returns "An error occurred". Checking on the logs I found the snippet included below which indicates an SSL problem. The site https://recipes.instantpot.com has a valid SSL certificate, as near as I can tell.

Share your logs

[2023-07-16 20:49:23,437] ERROR in config: HTTPSConnectionPool(host='recipes.instantpot.com', port=443): Max retries exceeded with url: /recipe/chicken-tikka-masala/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1002)')))
ERROR:app.config:HTTPSConnectionPool(host='recipes.instantpot.com', port=443): Max retries exceeded with url: /recipe/chicken-tikka-masala/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1002)')))

Share your configuration

version: "3"
services:
  front:
    image: tombursch/kitchenowl-web:latest
    # environment:
    #   - BACK_URL=back:5000 # Optional should not be changed unless you know what youre doing
    # Commenting out port bindings
    #ports:
    #  - "2080:80"
    depends_on:
      - back
    networks:
      - net
  back:
    image: tombursch/kitchenowl:latest
    restart: unless-stopped
    # ports: # Optional
    #   - "80:80" # http protocol
    #   - "5000:5000" # uwsgi protocol
    networks:
      - net
    environment:
      - JWT_SECRET_KEY="obfuscated"
      # - FRONT_URL=http://localhost # Optional should not be changed unless you know what youre doing
    volumes:
      - kitchenowl_data:/data

volumes:
  kitchenowl_data:

networks:
  net:
    external: true
SeeJayEmm commented 1 year ago

I did some digging on the error but I'm coming up empty. The "back" container appears to have an up-to-date certificate store in /etc/ssl/certs. When I try to pull the cert via openssl I get the following. I'm still digging.

root@3f4ee2ba4e3b:~# openssl s_client -showcerts -servername recipes.instantpot.com -connect recipes.instantpot.com:443 -CApath /etc/ssl/certs/
CONNECTED(00000003)
depth=0 C = US, ST = Illinois, L = Downers Grove, O = Instant Brands LLC, CN = recipes.instantpot.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Illinois, L = Downers Grove, O = Instant Brands LLC, CN = recipes.instantpot.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = US, ST = Illinois, L = Downers Grove, O = Instant Brands LLC, CN = recipes.instantpot.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = Illinois, L = Downers Grove, O = Instant Brands LLC, CN = recipes.instantpot.com
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 31 15:55:37 2023 GMT; NotAfter: Jun  9 15:55:37 2024 GMT
-----BEGIN CERTIFICATE-----
MIIG7jCCBdagAwIBAgIQOdVkFB78zAx8MGpHR6TeMzANBgkqhkiG9w0BAQsFADCB
ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT
H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy
MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG
A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y
MzA1MzExNTU1MzdaFw0yNDA2MDkxNTU1MzdaMHYxCzAJBgNVBAYTAlVTMREwDwYD
VQQIEwhJbGxpbm9pczEWMBQGA1UEBxMNRG93bmVycyBHcm92ZTEbMBkGA1UEChMS
SW5zdGFudCBCcmFuZHMgTExDMR8wHQYDVQQDExZyZWNpcGVzLmluc3RhbnRwb3Qu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8WziLCxQ+f1hhbg/
11bfDFOrYnZyGrco92DiwkAyA8XxquODnoofGMvQ5v5530/eavxYJUSBURW0l4TH
7dI0BF50RgRnW4qMdduq0q7GLo+TgBelfnl95vuHl73nQUduV3pSCOzwoz3swUo2
UxaHHS4BUwXBOsq7axuDu2oscov+GCOfTn1DDBM18dhz+KZYYHJirDBvJ/i9boya
jLtvqSkyxFeT0p0WT/tqf8s1aiEq/ODklnRsQ6Hb2pl6Cq/tYPj2yqJqNiG0biOg
12x9CpLcEySXKvmSsndC4l06MUf58peeezAYeV12R60YtbYaB1CphoNmimd/z1ln
buY8rQIDAQABo4IDMTCCAy0wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUYpuKtNIw
bD27A95wVhNgCQPHH0AwHwYDVR0jBBgwFoAUgqJwdN28Uz/Pe9T3zX+nYMYKTL8w
aAYIKwYBBQUHAQEEXDBaMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0
Lm5ldDAzBggrBgEFBQcwAoYnaHR0cDovL2FpYS5lbnRydXN0Lm5ldC9sMWstY2hh
aW4yNTYuY2VyMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5u
ZXQvbGV2ZWwxay5jcmwwPQYDVR0RBDYwNIIWcmVjaXBlcy5pbnN0YW50cG90LmNv
bYIad3d3LnJlY2lwZXMuaW5zdGFudHBvdC5jb20wDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBMBgNVHSAERTBDMDcGCmCGSAGG
+mwKAQUwKTAnBggrBgEFBQcCARYbaHR0cHM6Ly93d3cuZW50cnVzdC5uZXQvcnBh
MAgGBmeBDAECAjCCAYAGCisGAQQB1nkCBAIEggFwBIIBbAFqAHYA7s3QZNXbGs7F
XLedtM0TojKHRny87N7DUUhZRnEftZsAAAGIcoWVswAABAMARzBFAiB+2WEbSE6Z
B+34pwYfBIKMkoLiQSR0nGBEruSBzTuWLwIhAILHmRBDuPR1hI53tM0zk4vhuF1m
0M4MxLIkSRUC8betAHcAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcA
AAGIcoWV8wAABAMASDBGAiEAq1GPzXH/3+k01+u3wzEzLGljiKtwPBt6CL7Lrtim
BeMCIQCYRsUeOgZxaaiv1jaylUBdMAddl8ifjeWtN0m0X4mGEwB3ANq2v2s/tbYi
n5vCu1xr6HCRcWy7UYSFNL2kPTBI1/urAAABiHKFlgEAAAQDAEgwRgIhAMwiWVCD
DoNeDPEd3u1DE9IfgiargFhTOvDV23k0D7WlAiEAobk3R33arysneekQvSPM+gi0
vTBHcZIFfSBcBScTOE8wDQYJKoZIhvcNAQELBQADggEBAKZaT3C9hgY7RIK/hUCb
sP4cXJks83QcTP5Z32fVy+wUMrM267E/iI179NB6Kl936okdIwbTtCvd9Kvsckvv
iXFQeAIWJp7dBTBjAFEfJChR4dCtDETEX+lZmb31J//t8ciusggwam34vQ+jV3wT
xjIV5PJlMlur+PEUgJDMzM0BLY2MH5o4Kgg355JvUuZ/zRmY0sfbtP++oiflHbBP
5yuiHDZ5MDuwnUs9CbvOlOhS5VA6hoyCV+LgCyTQcq+xA2u/sqxGddSKHvCf/LNA
f9+PjTLJRNmaF3bc0lXWYd1zllFLE4Gkw/yS++k8mr9XUR9GiOXu81Qy8fL0Ej6q
EoY=
-----END CERTIFICATE-----
 1 s:C = US, ST = Illinois, L = Downers Grove, O = Instant Brands LLC, CN = recipes.instantpot.com
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 31 15:55:37 2023 GMT; NotAfter: Jun  9 15:55:37 2024 GMT
-----BEGIN CERTIFICATE-----
MIIG7jCCBdagAwIBAgIQOdVkFB78zAx8MGpHR6TeMzANBgkqhkiG9w0BAQsFADCB
ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT
H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy
MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG
A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y
MzA1MzExNTU1MzdaFw0yNDA2MDkxNTU1MzdaMHYxCzAJBgNVBAYTAlVTMREwDwYD
VQQIEwhJbGxpbm9pczEWMBQGA1UEBxMNRG93bmVycyBHcm92ZTEbMBkGA1UEChMS
SW5zdGFudCBCcmFuZHMgTExDMR8wHQYDVQQDExZyZWNpcGVzLmluc3RhbnRwb3Qu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8WziLCxQ+f1hhbg/
11bfDFOrYnZyGrco92DiwkAyA8XxquODnoofGMvQ5v5530/eavxYJUSBURW0l4TH
7dI0BF50RgRnW4qMdduq0q7GLo+TgBelfnl95vuHl73nQUduV3pSCOzwoz3swUo2
UxaHHS4BUwXBOsq7axuDu2oscov+GCOfTn1DDBM18dhz+KZYYHJirDBvJ/i9boya
jLtvqSkyxFeT0p0WT/tqf8s1aiEq/ODklnRsQ6Hb2pl6Cq/tYPj2yqJqNiG0biOg
12x9CpLcEySXKvmSsndC4l06MUf58peeezAYeV12R60YtbYaB1CphoNmimd/z1ln
buY8rQIDAQABo4IDMTCCAy0wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUYpuKtNIw
bD27A95wVhNgCQPHH0AwHwYDVR0jBBgwFoAUgqJwdN28Uz/Pe9T3zX+nYMYKTL8w
aAYIKwYBBQUHAQEEXDBaMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0
Lm5ldDAzBggrBgEFBQcwAoYnaHR0cDovL2FpYS5lbnRydXN0Lm5ldC9sMWstY2hh
aW4yNTYuY2VyMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5u
ZXQvbGV2ZWwxay5jcmwwPQYDVR0RBDYwNIIWcmVjaXBlcy5pbnN0YW50cG90LmNv
bYIad3d3LnJlY2lwZXMuaW5zdGFudHBvdC5jb20wDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBMBgNVHSAERTBDMDcGCmCGSAGG
+mwKAQUwKTAnBggrBgEFBQcCARYbaHR0cHM6Ly93d3cuZW50cnVzdC5uZXQvcnBh
MAgGBmeBDAECAjCCAYAGCisGAQQB1nkCBAIEggFwBIIBbAFqAHYA7s3QZNXbGs7F
XLedtM0TojKHRny87N7DUUhZRnEftZsAAAGIcoWVswAABAMARzBFAiB+2WEbSE6Z
B+34pwYfBIKMkoLiQSR0nGBEruSBzTuWLwIhAILHmRBDuPR1hI53tM0zk4vhuF1m
0M4MxLIkSRUC8betAHcAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcA
AAGIcoWV8wAABAMASDBGAiEAq1GPzXH/3+k01+u3wzEzLGljiKtwPBt6CL7Lrtim
BeMCIQCYRsUeOgZxaaiv1jaylUBdMAddl8ifjeWtN0m0X4mGEwB3ANq2v2s/tbYi
n5vCu1xr6HCRcWy7UYSFNL2kPTBI1/urAAABiHKFlgEAAAQDAEgwRgIhAMwiWVCD
DoNeDPEd3u1DE9IfgiargFhTOvDV23k0D7WlAiEAobk3R33arysneekQvSPM+gi0
vTBHcZIFfSBcBScTOE8wDQYJKoZIhvcNAQELBQADggEBAKZaT3C9hgY7RIK/hUCb
sP4cXJks83QcTP5Z32fVy+wUMrM267E/iI179NB6Kl936okdIwbTtCvd9Kvsckvv
iXFQeAIWJp7dBTBjAFEfJChR4dCtDETEX+lZmb31J//t8ciusggwam34vQ+jV3wT
xjIV5PJlMlur+PEUgJDMzM0BLY2MH5o4Kgg355JvUuZ/zRmY0sfbtP++oiflHbBP
5yuiHDZ5MDuwnUs9CbvOlOhS5VA6hoyCV+LgCyTQcq+xA2u/sqxGddSKHvCf/LNA
f9+PjTLJRNmaF3bc0lXWYd1zllFLE4Gkw/yS++k8mr9XUR9GiOXu81Qy8fL0Ej6q
EoY=
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, ST = Illinois, L = Downers Grove, O = Instant Brands LLC, CN = recipes.instantpot.com
issuer=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4066 bytes and written 454 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 1B4A2255E39906286093616C3443A3C1C38F2696FA3FCD0BD6D3D0F704B3C2A2
    Session-ID-ctx: 
    Master-Key: 7632F99B09373CBA84D800B197231FD2E5ADD36A1C1150E04B36E600F64EA2A1C016F87F6F07E879F45501E94117608A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1689541905
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---

HTTP/1.1 400 BAD_REQUEST
Content-Length: 0
Connection: Close

closed
root@3f4ee2ba4e3b:~#
TomBursch commented 1 year ago

Thanks for trying to look for the issue! This might be an upstream issue with recipe-scrapers. But will have to do some testing myself.

SeeJayEmm commented 1 year ago

The only thing I found, is that it may be an invalid or incomplete cert chain being presented by https://recipes.instantpot.com/. If I'm reading the openssl output correctly it looks like the same cert is presented twice in the chain. From what I read a browser will do the work to find and validate the root CA where-as openssl won't.

I'm at the edge of my depth here tho, so take it all with a grain of salt.

TomBursch commented 1 year ago

It looks like that is the case. But I think this has to be fixed upstream (requests or urllib)