Closed nigel-heaney closed 6 years ago
Thanks for the issue @nigel-heaney, I will have a look at it.
Sorry, It looks like I made a mistake. I thought this was the repo (followed links from google). The version I installed with pip is written by someone else so not applicable. Sorry for any inconvenience :)
ok, no problem 👍
Hi,
I've recently started looking at using python-foreman and encountered an issue where I can't use this module due to changes upstream in python and ssl verification has been switched to enabled by default and causes the following error to occur:
Traceback (most recent call last): File "", line 1, in
File "/usr/lib/python2.7/site-packages/foreman/init.py", line 49, in init
self.domains = Domains(self.api)
File "/usr/lib/python2.7/site-packages/foreman/objects.py", line 59, in init
dict.init(self, self.load())
File "/usr/lib/python2.7/site-packages/foreman/objects.py", line 151, in load
limit=self.searchLimit)}
File "/usr/lib/python2.7/site-packages/foreman/api.py", line 56, in _log
ret = function(self, *args, kwargs)
File "/usr/lib/python2.7/site-packages/foreman/api.py", line 99, in list
headers=self.headers)
File "/usr/lib/python2.7/site-packages/requests/api.py", line 68, in get
return request('get', url, kwargs)
File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request
response = session.request(method=method, url=url, kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request
resp = self.send(prep, send_kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 602, in send
history = [resp for resp in gen] if allow_redirects else []
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 195, in resolve_redirects
allow_redirects=False,
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
r = adapter.send(request, kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)**
Investigating this I found the problem from Redhat (https://access.redhat.com/articles/2039753) which explains the problem and some solutions which partially work based on my installation of Foreman v1.15.6.
You can set to disable verification but this has the problem where is switches to using non ssl (port 80) which we don't use. The other options don't appear to work where we use environment variables to disable.
The only success I have had is to modify the module and point specifically at a working ca-bundle (on the foreman server) or disable the verification but I then need to add code to api.py to suppress warning messages that verification is disabled. So I think it would be better to add support to the module itself where the default is system default or true and allow us to override what verify should be set to?
In api.py I made the following change to make it work:
e.g. append verify to the requests calls: self.resp = requests.get(url=self.url, auth=self.auth, headers=self.headers, verify='/etc/ssl/certs/ca-bundle.trust.crt')