Closed eahrold closed 9 years ago
UPDATE: Even though the server has a trusted SSL certificate. The error goes away if I disable certificate verification.
defaults write com.github.autopkg JSS_VERIFY_SSL -bool false
A possible red-flag is that the SSL certificate is a wildcard *.jamfcloud.com
and I've definitely seen issues (though completely unrelated) with those before.
One more update.
I just realized it was working fine earlier today via the cli, but I was using the 0.4.2 release.
I ran the pkg installer and now I'm on 0.4.3 (python-jss), and now the issue is there via cli too.
setting verify_ssl=False
resolves it.
I imagine the verify_ssl being set to be off should solve SSL errors, but that's not really a good solution ;)
I just did a quick diff on both jss-autopkg-addon and python-jss and I don't see anything that would indicate an obvious regression. In fact, the code is only slightly different!
So just taking a stab at googling around, there's this:
https://github.com/kennethreitz/requests/issues/557
which is the same error.
I did this:
[517][craigs-imac]:~/Developer/python-jss (testing)$ python
Python 2.7.7 (v2.7.7:f89216059edf, May 31 2014, 12:53:48)
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import certifi
>>> certifi.where()
'/Library/Python/2.7/site-packages/certifi/cacert.pem'
Why that would have changed or be missing I couldn't tell you. But the first thing I would do would be to ensure that /Library/Python/2.7/site-packages/certifi/cacert.pem
exists and is readable.
I wonder if it's because I'm using easy_install and an egg to install python-jss. It looks like the certifi package isn't needed any more in requests. Maybe the egg is missing the cacert.pem that comes with requests?
Yeah, I don't have a certifi
module installed in the 2.7 site-package
.
I do have the cacert.pem in the contrib/requests and it is readable
And actually I retract that I was using 0.4.2, it may have been I hadn't updated the requests part of the python-jss, and was still working off my fork, with an older version of requests. I'll try and roll back to see If I can figure it out.
I'm still trying to figure out how to check for the cacert.pem in requests, since it's all packaged up in an egg.
Yep. I can make it fail with the missing certs error on a clean machine. I've explicitly included the cacert.pem in the setup.py file that creates the egg, but it's not working correctly, probably because requests expects it to be accessible through the filesystem...
And I had just pulled the python-jss changes from master, and not installed via the egg until earlier today, so that somewhat equates. In fact I had the git repo symlinked into the site-package, and it's probable that's what I was running off of.
I uninstalled the python-jss egg and then reinstalled it unzipped a la
pip uninstall python-jss
easy_install -UZ python-jss
and then I don't get the above error.
Of course, then I get the sslv3 alert handshake failure.
Jeeze, can't win.
Yep, that's working for me too, and now at 0.4.3
.
But... that was because I was trying on a JSS 9.6.1 server, which is probably the SSL being disabled issue #9
Indeed, it works fine connecting to a non-9.6.1 server.
So I'll make the change to the installer package and release a new version just so no one misses it.
And then we will hope that @ocoda comes up with a solution for the new requests.
@eahrold Done. New installer up for the current release. See if it solves the issue for the AutoPkgr issue users. Don't have time to do another release this afternoon.
@sheagcraig, thanks a bunch. It's working.
hey @sheagcraig ! well, the latest version of urllib3 (1.9.1) is from September 19th, while the fix to detect the correct SSL/TLS version is from October 30th. (see: https://github.com/shazow/urllib3/commit/523860eba6e26ae88be78e7057db621d87869670). Yesterday a new version of requests (2.5: https://github.com/kennethreitz/requests/releases/tag/v2.5.0) was released which include a snapshot version of urllib3 with the fix we need.
Looks like our problems self solved themselves :-)
That's awesome. I'll put together new releases with that. It will solve some other issues and mistakes too.
I too started seeing this error We're using a JAMF cloud hosted DP.
Strange thing is that I have no problem creating a JSS object from the cli, or pulling info there.
I'll start digging in and see if I can find the culprit.