Closed antonelepfl closed 4 years ago
hi,
this is pretty easy to explain and fix. The certification authority used by CSCS is not trusted by the python code. The UNICORE API avoids this by adding verify=False to the requests call, i.e.
res = requests.post(url, json=data, headers=headers, verify=False)
should do the trick.
@BerndSchuller Yes that works, but is disabling the certification check a bad practice? Shouldn't the untrusted authority added to the python code somehow? Would that be the better solution?
Is this code running in a jupyter notebook in the collab? The configured truststore indeed should contain the CA used by CSCS.
In the collab notebooks accessing "https://hbp-unic.fz-juelich.de:9112" works fine, "https://brissago.cscs.ch:8080" fails to validate.
It might be a good idea to open a ticket, so the containers running the notebooks can be updated.
Personally I consider the risk of not validating the certificates pretty low, but in general, switching on validation is indeed best practice.
No, the code does not usually run from inside a jupyter notebook. They run on my local linux machine, or from within a jenkins instance.
Then you're on your own, I guess. To enable validation, you'd need to collect the CAs that are used by the servers you want to access and either put them in the system truststore, or configure requests so that they are found.
you can see all certificate info using
openssl s_client -connect brissago.cscs.ch:8080
That server uses the "QuoVadis Global SSL ICA G2" certification authority, and you can get the certificate here: https://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL/QuoVadisGlobalSSLICAG2-PEM.aspx
Probably not really worth the effort, especially in a testing / local scenario.
Thanks for the info. I might look into that a bit more, or just use your suggested solution.
I will close this ticket for now.
Hi @BerndSchuller, With @alex4200 we are running some test using python and Unicore API and we are getting
To test we are doing something like:
Using the Simulation GUI we don't see any of these errors, is there something that we worry about? I see that maybe there is an issue on the TSI part
What do you think?