ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

[elmiomar]

I am trying to create a small mplane domain (client + supervisor + component) following instructions from doc/HOWTO.md.

After cloning the repository, I had to do some minor changes to run the experiment:

• in scripts/mpsup --config ./conf/supervisor.json, the supervisor config file should have a .json extension instead of .conf (same thing for component and client)
• changed scripts/mpsup (line 45), to `config = mplane.utils.get_config(args.config)
• commented out this because of the following error:

  File "/usr/local/lib/python3.4/dist-packages/mplane_sdk-0.9.9-py3.4.egg/mplane/component.py", line 375, in register_to_client
     logger.info("Component: registering my capabilities to "+self.registration_url)
  TypeError: Can't convert 'Url' object to str implicitly

After running the supervisor and the component, the supervisor keeps logging this warning:

WARNING:tornado.general:SSL Error on 11 ('127.0.0.1', 38956): [SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:600)

Once I run the client, I get this error on the client side:

Traceback (most recent call last):
  File "scripts/mpcli", line 679, in <module>
    cs = ClientShell(config)
  File "scripts/mpcli", line 98, in __init__
    self.do_getcap(config["Client"]["Initiator"]["capability-url"])
  File "scripts/mpcli", line 144, in do_getcap
    self._client.retrieve_capabilities(url)
  File "/usr/local/lib/python3.4/dist-packages/mplane_sdk-0.9.9-py3.4.egg/mplane/client.py", line 579, in retrieve_capabilities
    identity = self._tls_state.extract_peer_identity(url)
  File "/usr/local/lib/python3.4/dist-packages/mplane_sdk-0.9.9-py3.4.egg/mplane/tls.py", line 152, in extract_peer_identity
    c.connect((url_or_req.host, url_or_req.port))
  File "/usr/lib/python3.4/ssl.py", line 864, in connect
    self._real_connect(addr, False)
  File "/usr/lib/python3.4/ssl.py", line 855, in _real_connect
    self.do_handshake()
  File "/usr/lib/python3.4/ssl.py", line 828, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

As a workaround, although it's insecure, I can bypass this error by setting cert_reqs=ssl.CERT_NONE in mplane/tls.py, but then I get the following error on the client side:

Traceback (most recent call last):
  File "scripts/mpcli", line 679, in <module>
    cs = ClientShell(config)
  File "scripts/mpcli", line 98, in __init__
    self.do_getcap(config["Client"]["Initiator"]["capability-url"])
  File "scripts/mpcli", line 144, in do_getcap
    self._client.retrieve_capabilities(url)
  File "/usr/local/lib/python3.4/dist-packages/mplane_sdk-0.9.9-py3.4.egg/mplane/client.py", line 579, in retrieve_capabilities
    identity = self._tls_state.extract_peer_identity(url)
  File "/usr/local/lib/python3.4/dist-packages/mplane_sdk-0.9.9-py3.4.egg/mplane/tls.py", line 161, in extract_peer_identity
    for elem in cert.get('subject'):
TypeError: 'NoneType' object is not iterable

Can someone help me troubleshoot the issue please? Thanks.

Using:

• Ubuntu 14.04
• Python 3.4.3
• OpenSSL 1.0.1f 6 Jan 2014

[britram]

In transit; may have a chance to reply in more depth on Wednesday. Two notes:

(1) supervisors basically need to be written from scratch for each application to be useful, since the important part of a supervisor is the logic to aggregate capabilities and results and to deaggregate specifications for aggregate results. The project insisted on building a null supervisor for demonstration purposes. Because of this, mpsup will be removed from the final websockets code, and replaced with directions on how to build supervisors out of your own code + client and component framework...

(2) the SSL code in a azn.py and tls.py is very research grade and needs an overhaul... it does some fundamentally silly things with its certificates. In a real mPlane deployment, you'll need to bring your own PKI anyway.

The README needs an overhaul as well, and I apologize for not sticking a big warning on it; I didn't think anyone would use it outside the MAMI project until we did a release...it refers mainly to the old HTTP way of doing things.

Sent from my iPhone

On 27 Jan 2017, at 04:47, Omar Ilias EL MIMOUNI notifications@github.com wrote:

I am trying to create a small mplane domain (client + supervisor + component) following instructions from doc/HOWTO.md.

After cloning the repository, I had to do some minor changes to run the experiment:

in scripts/mpsup --config ./conf/supervisor.json, the supervisor config file should have a .json extension instead of .conf (same thing for component and client) changed scripts/mpsup (line 45), to `config = mplane.utils.get_config(args.config) commented out this because of the following error: File "/usr/local/lib/python3.4/dist-packages/mplane_sdk-0.9.9-py3.4.egg/mplane/component.py", line 375, in register_to_client logger.info("Component: registering my capabilities to "+self.registration_url) TypeError: Can't convert 'Url' object to str implicitly After running the supervisor and the component, the supervisor keeps logging this warning:

WARNING:tornado.general:SSL Error on 11 ('127.0.0.1', 38956): [SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:600) Once I run the client, I get this error on the client side:

Traceback (most recent call last): File "scripts/mpcli", line 679, in cs = ClientShell(config) File "scripts/mpcli", line 98, in init self.do_getcap(config["Client"]["Initiator"]["capability-url"]) File "scripts/mpcli", line 144, in do_getcap self._client.retrieve_capabilities(url) File "/usr/local/lib/python3.4/dist-packages/mplane_sdk-0.9.9-py3.4.egg/mplane/client.py", line 579, in retrieve_capabilities identity = self._tls_state.extract_peer_identity(url) File "/usr/local/lib/python3.4/dist-packages/mplane_sdk-0.9.9-py3.4.egg/mplane/tls.py", line 152, in extract_peer_identity c.connect((url_or_req.host, url_or_req.port)) File "/usr/lib/python3.4/ssl.py", line 864, in connect self._real_connect(addr, False) File "/usr/lib/python3.4/ssl.py", line 855, in _real_connect self.do_handshake() File "/usr/lib/python3.4/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

As a workaround, although it's insecure, I can bypass this error by setting cert_reqs=ssl.CERT_NONE in mplane/tls.py, but then I get the following error on the client side:

Traceback (most recent call last): File "scripts/mpcli", line 679, in cs = ClientShell(config) File "scripts/mpcli", line 98, in init self.do_getcap(config["Client"]["Initiator"]["capability-url"]) File "scripts/mpcli", line 144, in do_getcap self._client.retrieve_capabilities(url) File "/usr/local/lib/python3.4/dist-packages/mplane_sdk-0.9.9-py3.4.egg/mplane/client.py", line 579, in retrieve_capabilities identity = self._tls_state.extract_peer_identity(url) File "/usr/local/lib/python3.4/dist-packages/mplane_sdk-0.9.9-py3.4.egg/mplane/tls.py", line 161, in extract_peer_identity for elem in cert.get('subject'): TypeError: 'NoneType' object is not iterable Can someone help me troubleshoot the issue please? Thanks.

Using:

Ubuntu 14.04 Python 3.4.3 OpenSSL 1.0.1f 6 Jan 2014 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.