Open desrod opened 3 years ago
@desrod Thanks for the report. Can you provide a little information as to your environment (what OS, Python version and unificontrol version)? If you can provide info about the version of software on your UDM Pro that would also be helpful; Ubiquiti have been making a lot of changes recently so it's a bit of a moving target.
Sure can! I've been chasing down some very weird issues with my UDMP, which is what led me to find this project.
1.9.3
6.1.71
3.8.5
(in a venv, as above)https://github.com/nickovs/unificontrol.git@6d02ae8fc3d8f536b51c45b2b42dbbadbda249e7#egg=unificontrol
The entire test script is:
#!/usr/bin/env python3
import logging
logging.basicConfig(level=logging.DEBUG)
import unificontrol
import ssl
cert = ssl.get_server_certificate(("unifi.local", 8443))
client = unificontrol.UnifiClient(host="unifi.local",
port='443',
username='me',
password="SuperSecretPassword",
site='default',
cert=cert)
client.login()
I started with the IP statically defined, that didn't work, so I added an entry to /etc/hosts
to match the name in the self-signed cert itself. Same results either way.
Hello, I am running into same problem. Did anyone else find a solution or work-around?
Hello, same here, tried different things and nothing worked. I have my own CA, root and unifi certs both generated by CA, whatever I tried to provide root or unifi cert I have the same error: '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)')))
For me this failed because the certificate is expired. According to the web browser, it is signed by Ubiquiti Networks Inc.
but expired already in 2011!
Because of this I always got this error: ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)
.
The only workaround I found was to patch unifi.py and add a verify=False
on resp = ses.send(ses.prepare_request(request), verify=False)
.
To suppress the warnings I also added following to my main script:
import requests
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
Despite what the
`ssl_self_signed.rst
document states, pinning does not work at all for the initial login. You can create the client object, but you can't use it to query the API of the UDMP at all.This includes port 443 and 8443. The self-signed certificate is queried correctly and passed back in the request, but since the Python 'requests' library can't validate the SSL certificate, it fails with the below (common) SSL verify error:
Other than procuring an officially-signed, upstream SSL certificate that the standard host certificate chain will trust, this will not work. I did add the certificate directly from the controller to
/usr/local/share/ca-certificates/
and refreshed the cert chain, still no success.Is there a plan to support
verify=False
in the constructor, so this will work for those of us without an upstream SSL cert configured on our controllers?