SSL certificate error

[pcubillos]

Hi, Today I noticed I'm getting this error when I try to make a query through the command line:

 curl -H 'Authorization: Bearer <token>' 'https://api.adsabs.harvard.edu/v1/search/query?q=star'
curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Similarly when I try to do the query through the Python requests package:

bibm ads-search
(Press 'tab' for autocomplete)                                                  
author:"buchner, j" property:refereed                                           
Traceback (most recent call last):
  File "/home/pcubillos/py36/lib/python3.6/site-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/home/pcubillos/py36/lib/python3.6/site-packages/urllib3/connectionpool.py", line 343, in _make_request
    self._validate_conn(conn)
  File "/home/pcubillos/py36/lib/python3.6/site-packages/urllib3/connectionpool.py", line 839, in _validate_conn
    conn.connect()
  File "/home/pcubillos/py36/lib/python3.6/site-packages/urllib3/connection.py", line 344, in connect
    ssl_context=context)
  File "/home/pcubillos/py36/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 344, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib/python3.6/ssl.py", line 814, in __init__
    self.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 1068, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/pcubillos/py36/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/home/pcubillos/py36/lib/python3.6/site-packages/urllib3/connectionpool.py", line 638, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/home/pcubillos/py36/lib/python3.6/site-packages/urllib3/util/retry.py", line 398, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='api.adsabs.harvard.edu', port=443): Max retries exceeded with url: /v1/search/query?q=author%3A%22buchner%2C%20j%22%20property%3Arefereed&start=0&rows=200&sort=pubdate+desc&fl=title,author,year,bibcode,pub (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/pcubillos/py36/bin/bibm", line 11, in <module>
    load_entry_point('bibmanager', 'console_scripts', 'bibm')()
  File "/home/pcubillos/Dropbox/IWF/projects/2018_bibmanager/bibmanager/bibmanager/__main__.py", line 1088, in main
    args.func(args)
  File "/home/pcubillos/Dropbox/IWF/projects/2018_bibmanager/bibmanager/bibmanager/__main__.py", line 263, in cli_ads_search
    am.manager(query)
  File "/home/pcubillos/Dropbox/IWF/projects/2018_bibmanager/bibmanager/bibmanager/ads_manager/ads_manager.py", line 47, in manager
    results, nmatch = search(query, start=start)
  File "/home/pcubillos/Dropbox/IWF/projects/2018_bibmanager/bibmanager/bibmanager/ads_manager/ads_manager.py", line 120, in search
    headers={'Authorization': f'Bearer {token}'})
  File "/home/pcubillos/py36/lib/python3.6/site-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/home/pcubillos/py36/lib/python3.6/site-packages/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/home/pcubillos/py36/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/pcubillos/py36/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/home/pcubillos/py36/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='api.adsabs.harvard.edu', port=443): Max retries exceeded with url: /v1/search/query?q=author%3A%22buchner%2C%20j%22%20property%3Arefereed&start=0&rows=200&sort=pubdate+desc&fl=title,author,year,bibcode,pub (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)'),))

I'm pretty sure nothing has changed on my end since the last time it was working. Is this an error that will get fixed or should I turn off the certificate verification from now on?

Thanks!

[marblestation]

Thanks for reporting this. This is due to an expired root certificate from Sectigo (more details). Browsers deal with it without problems but certain tools such as curl don't. Clients can manually change/update their setups, but we are also working on removing the expired certificate from our certificate chain and this might take less than a day.

[pcubillos]

Great, thanks for looking into this!