Certificate verify failed

[ghost]

Hello,

We already reported this, one weak ago, in Telegram to @wdavidturner , but the problem still persists. There is something wrong with the SSL certtificate. We can only timestamp with verify=False

r = requests.post(self.url, headers=self.headers, data=json.dumps(work), verify=False)

SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)

[WesleyCharlesBlake]

Thanks for reporting this.

Upon inspection of the certificates, they are still valid and only expire on 18 March 2020.

Can you please provide the certificate information that you are receiving in your requests as this will help us identify the issue.

Can you also verify that your systems time/date is correct as this can cause issues with verifying certificates.

We utilize let's encrypt CAs and renew our certificates well within the expiry of each certificate.

Further more, your system may be caching old certificates, so please ensure a refresh on the api.poetnetwork.net domain and ensure you are viewing the latest certificate.

[WesleyCharlesBlake]

You can see the certificate is still valid.

Any more information on your side would be a great help

[ghost]

    Data:
        Version: 3 (0x2)
        Serial Number:
            03:f1:84:f5:9f:f8:86:24:12:8b:4e:59:44:f6:54:5d:c6:73
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Oct 20 08:30:07 2019 GMT
            Not After : Jan 18 08:30:07 2020 GMT
        Subject: CN = *.poetnetwork.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:be:90:b8:9f:8c:86:99:d6:d1:f7:0e:d3:32:cd:
                    ee:fa:95:fa:7b:da:68:b9:8d:fe:5f:57:6f:b2:67:
                    41:85:7e:e7:f5:c3:24:e1:7c:9e:a2:d1:c7:cc:d4:
                    76:7a:bc:f0:ee:17:ca:60:5e:1e:f7:0d:9e:b8:1c:
                    f4:2e:cd:3c:48:66:3d:94:bd:1a:07:ea:29:de:26:
                    f7:12:cb:d0:ba:3f:7c:7b:0e:5a:d2:cf:27:36:76:
                    36:36:65:5a:41:05:93:24:66:48:6a:f6:8f:66:0a:
                    7a:de:7a:3e:15:c3:1f:2f:16:48:a7:37:e1:a0:c9:
                    f0:ea:4e:0c:6c:30:d7:02:1c:eb:22:b5:af:a1:8b:
                    19:2d:d2:e9:2c:65:a4:1a:92:2e:58:3d:23:4d:fd:
                    a0:0e:b9:a6:6f:ff:1c:93:16:ee:27:14:43:16:cf:
                    0b:b3:dd:4d:8b:cf:94:e2:66:af:24:06:aa:08:55:
                    8f:48:b7:0a:7d:d7:c1:d0:e8:4a:d8:3d:0d:53:33:
                    b5:af:e0:8c:80:ed:2a:c9:12:2f:74:59:0f:9b:f5:
                    6e:31:09:7c:cf:ac:89:cc:82:4c:19:7a:e6:45:37:
                    31:79:6b:eb:39:b7:ac:c3:6a:f2:a1:e6:d1:2b:90:
                    b5:db:01:b0:e7:1a:f6:e9:bb:a6:10:72:02:da:38:
                    f1:5d:d5:05:a4:c4:3d:81:31:e6:9d:a9:83:6e:db:
                    f6:aa:19:4f:8b:26:6f:19:ae:85:cc:28:da:1b:75:
                    43:03:3b:4d:fb:bd:1d:45:9c:27:78:1d:2f:89:4e:
                    ec:e6:4c:cc:6b:23:8e:c3:40:de:7c:37:30:5d:91:
                    98:25:97:fc:bd:d5:02:de:6c:90:0d:e9:8d:b7:54:
                    14:92:e8:40:c3:3c:c3:cf:0a:e0:97:82:c9:50:37:
                    77:ee:d9:8c:5b:da:b6:94:d2:ca:b3:f0:c2:3a:10:
                    94:ca:9e:7d:bc:91:ee:0e:5c:a9:44:f5:c9:0a:a6:
                    85:57:5d:1c:a2:ab:00:70:23:81:44:20:e6:b9:ea:
                    b0:b7:0b:d3:1a:21:5c:37:db:90:bf:6f:bb:69:49:
                    c1:a0:39:e0:34:de:41:8a:97:8f:ce:a2:b5:01:48:
                    89:48:c9:b3:17:24:20:e2:db:c8:db:cd:9f:77:97:
                    35:b2:45:0a:53:58:e3:ac:b3:31:03:1d:4d:a4:4a:
                    0e:30:ae:1b:8c:2d:46:33:c4:54:e5:d4:c9:c0:d4:
                    c0:6f:5b:6d:55:19:a5:52:45:9e:66:ee:ef:11:80:
                    f0:33:39:98:d3:48:8e:97:63:00:08:c4:a7:28:fc:
                    99:ae:ab:8e:b6:29:bd:b4:5f:2e:45:c6:56:5e:f3:
                    26:0e:ff
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                F6:82:13:0F:1D:EA:B4:DE:D6:45:A3:76:5F:87:2C:25:DA:E5:2C:10
            X509v3 Authority Key Identifier: 
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:*.poetnetwork.net
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 5E:A7:73:F9:DF:56:C0:E7:B5:36:48:7D:D0:49:E0:32:
                                7A:91:9A:0C:84:A1:12:12:84:18:75:96:81:71:45:58
                    Timestamp : Oct 20 09:30:07.763 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:A5:D8:A7:D1:28:D5:65:B2:47:62:E5:
                                EA:FE:D1:37:A0:1E:78:D9:6D:FF:55:48:08:75:56:14:
                                AC:2E:8E:A9:0E:02:20:4A:24:BF:65:58:45:94:5A:AF:
                                EC:69:38:6C:42:FF:A5:E8:05:10:98:CE:A9:4B:ED:CE:
                                B3:26:87:08:8B:22:A3
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
                                6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
                    Timestamp : Oct 20 09:30:07.755 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:30:49:F6:02:1D:58:21:AA:5B:62:5B:85:
                                51:EA:4E:8F:66:F6:D0:87:D6:9C:43:AE:E9:6B:5D:0E:
                                DF:4F:04:66:02:21:00:F8:51:82:1C:E0:9B:89:49:B2:
                                8C:4F:7D:57:03:7F:FD:E6:51:A9:B1:4E:03:C5:71:8A:
                                8A:41:15:52:7D:0D:21
    Signature Algorithm: sha256WithRSAEncryption
         27:73:0c:92:66:d2:e9:d5:84:b0:3d:e0:a8:34:01:24:45:9b:
         07:76:15:97:15:b7:ed:87:a9:86:97:80:ef:e4:89:83:ce:cc:
         50:db:79:9c:62:76:66:c6:24:f2:be:05:63:37:fd:a5:66:66:
         50:bc:6c:85:1c:83:27:5c:00:ea:d4:f5:00:ef:13:2a:71:d5:
         5d:7d:eb:4c:4a:57:47:90:8c:bc:16:a0:f5:c2:fa:fc:36:6b:
         a3:a5:2f:6d:7e:7b:85:d4:cc:25:fc:85:eb:5e:62:88:59:68:
         4b:9e:d1:7d:7e:36:0d:5b:b4:b9:35:61:26:04:55:8c:22:38:
         f1:c0:63:f9:59:a7:b4:6c:2d:88:27:9c:01:bd:1e:5c:3a:91:
         b5:67:19:c6:66:12:f5:1e:0b:6b:e3:ff:2f:4c:ea:a7:b5:09:
         71:ef:c4:00:c9:e6:52:56:f7:d3:db:73:b3:01:6a:00:ec:94:
         5d:6a:bd:ae:e0:a3:2a:44:dd:10:b6:26:36:46:b2:5d:47:1e:
         f8:9a:f1:a4:a7:e9:39:7b:cb:a5:bc:57:6e:8b:67:f5:28:75:
         3f:c2:3f:a5:a7:9b:45:4a:0c:26:58:40:ba:ef:f3:2b:bf:9c:
         6c:c6:be:42:5a:df:d4:5c:97:35:f6:d0:d8:e1:e0:07:09:59:
         4f:e8:02:c5

Please note: Not After : Jan 18 08:30:07 2020 GMT

[ghost]

@WesleyCharlesBlake, as you can see, I have tried three times and only the last one worked. Maybe a Load balancer with multiples VMs and sometimes I hit some VM without the correct certificate?

The date / time is correct.

import requests
req = requests.get('https://api.poetnetwork.net/works')

---

I don't know exactly how to do that:

Further more, your system may be caching old certificates, so please ensure a refresh on the api.poetnetwork.net domain and ensure you are viewing the latest certificate.

[WesleyCharlesBlake]

Hey @teamlyzer , I have managed to finally track down the old certificate.

Indeed one of the ingress pods had an issue and was holding onto the certificate that had expired in Jan 18.

I have resovled this. Can you please let me know if you still experience issues with tls verify.

[ghost]

@WesleyCharlesBlake It seems good now. Thanks