search

jssimporter / JSSImporter

JSSImporter is deprecated. Please see the wiki for alternatives
Apache License 2.0
145 stars 38 forks source link

New SSL Issue #14

Closed eahrold closed 9 years ago

eahrold commented 9 years ago

I too started seeing this error We're using a JAMF cloud hosted DP.

Traceback (most recent call last):
  File "/usr/local/bin/autopkg", line 1334, in <module>
    sys.exit(main(sys.argv))
  File "/usr/local/bin/autopkg", line 1328, in main
    exit(subcommands[verb]['function'](argv))
  File "/usr/local/bin/autopkg", line 1152, in run_recipes
    autopackager.process(recipe)
  File "/Library/AutoPkg/autopkglib/__init__.py", line 466, in process
    self.env = processor.process()
  File "/Library/AutoPkg/autopkglib/__init__.py", line 295, in process
    self.main()
  File "/Library/AutoPkg/autopkglib/JSSImporter.py", line 576, in main
    ssl_verify=sslVerify, repo_prefs=repos)
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/jss.py", line 169, in __init__
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/distribution_points.py", line 85, in __init__
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/jss.py", line 317, in DistributionPoint
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/jss.py", line 454, in get_object
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/jss.py", line 196, in get
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/contrib/requests/sessions.py", line 469, in get
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/contrib/requests/sessions.py", line 457, in request
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/contrib/requests/sessions.py", line 569, in send
  File "/Library/Python/2.7/site-packages/python_jss-0.4.3-py2.7.egg/jss/contrib/requests/adapters.py", line 420, in send
jss.contrib.requests.exceptions.SSLError: [Errno 185090050] _ssl.c:340: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

Strange thing is that I have no problem creating a JSS object from the cli, or pulling info there.

I'll start digging in and see if I can find the culprit.

eahrold commented 9 years ago

UPDATE: Even though the server has a trusted SSL certificate. The error goes away if I disable certificate verification.

defaults write com.github.autopkg JSS_VERIFY_SSL -bool false

A possible red-flag is that the SSL certificate is a wildcard *.jamfcloud.com and I've definitely seen issues (though completely unrelated) with those before.

eahrold commented 9 years ago

One more update. I just realized it was working fine earlier today via the cli, but I was using the 0.4.2 release. I ran the pkg installer and now I'm on 0.4.3 (python-jss), and now the issue is there via cli too. setting verify_ssl=False resolves it.

sheagcraig commented 9 years ago

I imagine the verify_ssl being set to be off should solve SSL errors, but that's not really a good solution ;)

I just did a quick diff on both jss-autopkg-addon and python-jss and I don't see anything that would indicate an obvious regression. In fact, the code is only slightly different!

So just taking a stab at googling around, there's this:

https://github.com/kennethreitz/requests/issues/557

which is the same error.

I did this:

[517][craigs-imac]:~/Developer/python-jss (testing)$ python
Python 2.7.7 (v2.7.7:f89216059edf, May 31 2014, 12:53:48) 
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import certifi
>>> certifi.where()
'/Library/Python/2.7/site-packages/certifi/cacert.pem'

Why that would have changed or be missing I couldn't tell you. But the first thing I would do would be to ensure that /Library/Python/2.7/site-packages/certifi/cacert.pem exists and is readable.

sheagcraig commented 9 years ago

I wonder if it's because I'm using easy_install and an egg to install python-jss. It looks like the certifi package isn't needed any more in requests. Maybe the egg is missing the cacert.pem that comes with requests?

eahrold commented 9 years ago

Yeah, I don't have a certifi module installed in the 2.7 site-package. I do have the cacert.pem in the contrib/requests and it is readable

eahrold commented 9 years ago

And actually I retract that I was using 0.4.2, it may have been I hadn't updated the requests part of the python-jss, and was still working off my fork, with an older version of requests. I'll try and roll back to see If I can figure it out.

sheagcraig commented 9 years ago

I'm still trying to figure out how to check for the cacert.pem in requests, since it's all packaged up in an egg.

sheagcraig commented 9 years ago

Yep. I can make it fail with the missing certs error on a clean machine. I've explicitly included the cacert.pem in the setup.py file that creates the egg, but it's not working correctly, probably because requests expects it to be accessible through the filesystem...

eahrold commented 9 years ago

And I had just pulled the python-jss changes from master, and not installed via the egg until earlier today, so that somewhat equates. In fact I had the git repo symlinked into the site-package, and it's probable that's what I was running off of.

sheagcraig commented 9 years ago

I uninstalled the python-jss egg and then reinstalled it unzipped a la

pip uninstall python-jss
easy_install -UZ python-jss

and then I don't get the above error.

Of course, then I get the sslv3 alert handshake failure.

eahrold commented 9 years ago

Jeeze, can't win.

eahrold commented 9 years ago

Yep, that's working for me too, and now at 0.4.3.

sheagcraig commented 9 years ago

But... that was because I was trying on a JSS 9.6.1 server, which is probably the SSL being disabled issue #9

Indeed, it works fine connecting to a non-9.6.1 server.

So I'll make the change to the installer package and release a new version just so no one misses it.

And then we will hope that @ocoda comes up with a solution for the new requests.

sheagcraig commented 9 years ago

@eahrold Done. New installer up for the current release. See if it solves the issue for the AutoPkgr issue users. Don't have time to do another release this afternoon.

eahrold commented 9 years ago

@sheagcraig, thanks a bunch. It's working.

systemheld commented 9 years ago

hey @sheagcraig ! well, the latest version of urllib3 (1.9.1) is from September 19th, while the fix to detect the correct SSL/TLS version is from October 30th. (see: https://github.com/shazow/urllib3/commit/523860eba6e26ae88be78e7057db621d87869670). Yesterday a new version of requests (2.5: https://github.com/kennethreitz/requests/releases/tag/v2.5.0) was released which include a snapshot version of urllib3 with the fix we need.

Looks like our problems self solved themselves :-)

sheagcraig commented 9 years ago

That's awesome. I'll put together new releases with that. It will solve some other issues and mistakes too.