search

pycontribs / jira

Python Jira library. Development chat available on https://matrix.to/#/#pycontribs:matrix.org
https://jira.readthedocs.io
BSD 2-Clause "Simplified" License
1.94k stars 859 forks source link

Fedora - use system certificates #1690

Open Sigurdur42 opened 1 year ago

Sigurdur42 commented 1 year ago

Bug summary

I am trying to connect to a Jira instance hosted here in the company. 

        jira_instance_location = 'https://jira.xxx.de'
        headers = JIRA.DEFAULT_OPTIONS["headers"].copy()
        options = {"headers": headers, "server": jira_instance_location, 'verify': './certnew.pem'}

        instance = JIRA(
            options=options,
            token_auth='my token',
            get_server_info=True)`

This works - but I have to provide my own pem file. As soon as I do not pass the verify option, I do get this error:

Max retries exceeded with url: /rest/api/2/serverInfo (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1002)

How can I configure the Jira module to use the system wide installed certificates?

Is there an existing issue for this?

Jira Instance type

Jira Server or Data Center (Self-hosted)

Jira instance version

8.20.11

jira-python version

main

Python Interpreter version

3.11

Which operating systems have you used?

Reproduction steps

jira_instance_location = 'jira instance on premise'

# this works
        headers = JIRA.DEFAULT_OPTIONS["headers"].copy()
        options = {"headers": headers, "server": jira_instance_location, 'verify': './certnew.pem'}

        instance = JIRA(
            options=options,
            token_auth='your token',
            get_server_info=True)
# this does not

        headers = JIRA.DEFAULT_OPTIONS["headers"].copy()
        options = {"headers": headers, "server": jira_instance_location}

        instance = JIRA(
            options=options,
            token_auth='your token',
            get_server_info=True)

Stack trace

WARNING:jira.resilientsession:Got recoverable error from GET https://jira.intern.plath.de/rest/api/2/serverInfo, will retry [1/3] in 6.118381824574084s. Err: HTTPSConnectionPool(host='xxx', port=443): Max retries exceeded with url: /rest/api/2/serverInfo (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1002)')))
Traceback (most recent call last):
  File "/home/mwagner/dev/TeamLeadTools/TicketMagic/playground.py", line 7, in <module>
    jira = JiraWrapper("")
           ^^^^^^^^^^^^^^^
  File "/home/mwagner/dev/TeamLeadTools/TicketMagic/src/JiraWrapper.py", line 7, in __init__
    self.jira = self.connect_to_server(token)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/mwagner/dev/TeamLeadTools/TicketMagic/src/JiraWrapper.py", line 17, in connect_to_server
    instance = JIRA(
               ^^^^^
  File "/home/mwagner/dev/TeamLeadTools/TicketMagic/lib64/python3.11/site-packages/jira/client.py", line 579, in __init__
    si = self.server_info()
         ^^^^^^^^^^^^^^^^^^
  File "/home/mwagner/dev/TeamLeadTools/TicketMagic/lib64/python3.11/site-packages/jira/client.py", line 3119, in server_info
    j = self._get_json("serverInfo")
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/mwagner/dev/TeamLeadTools/TicketMagic/lib64/python3.11/site-packages/jira/client.py", line 3831, in _get_json
    r = self._session.get(url, params=params)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/mwagner/dev/TeamLeadTools/TicketMagic/lib64/python3.11/site-packages/requests/sessions.py", line 602, in get
    return self.request("GET", url, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/mwagner/dev/TeamLeadTools/TicketMagic/lib64/python3.11/site-packages/jira/resilientsession.py", line 236, in request
    if is_allowed_to_retry() and self.__recoverable(
                                 ^^^^^^^^^^^^^^^^^^^
  File "/home/mwagner/dev/TeamLeadTools/TicketMagic/lib64/python3.11/site-packages/jira/resilientsession.py", line 355, in __recoverable
    time.sleep(delay)
KeyboardInterrupt

Expected behaviour

The module shall use the Fedora certificates as installed on the machine.

Additional Context

No response

adehad commented 1 year ago

Hi @Sigurdur42, thanks for this report. I believe this is a Fedora specific case, similar to what is described here: https://sferich888.blogspot.com/2018/04/ca-certificates-and-python-requests.html

In summary there is a package used by the requests module, called certifi which looks in a location different from the default in Fedora.

Unfortunately it is beyond the scope of this library to specifically address this issue, but if you do have any advice for any future users feel free to document that with this issue.