SSLError - Option to skip checking/Max retries?

[dawnerd]

I seem to get this sometimes and Im wondering what could be done to prevent it. Could it be as simple as just ignoring ssl? Or maybe increasing retries? Seems to happen when the site is under load but I haven't seen any ssl issues using the site at the same time myself.

Traceback (most recent call last):
  File "/home/troy/.local/lib/python3.10/site-packages/pleroma_bot/cli.py", line 580, in main
    date_fedi = user.get_date_last_post()
  File "/home/troy/.local/lib/python3.10/site-packages/pleroma_bot/_utils.py", line 811, in get_date_last_post
    date = self.get_date_last_pleroma_post()
  File "/home/troy/.local/lib/python3.10/site-packages/pleroma_bot/_pleroma.py", line 84, in get_date_last_pleroma_post
    response = pleroma_api_request(
  File "/home/troy/.local/lib/python3.10/site-packages/pleroma_bot/_pleroma.py", line 29, in pleroma_api_request
    response = requests.request(
  File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='opencoaster.net', port=443): Max retries exceeded with url: /api/v1/accounts/109442566839409369/statuses (Caused by SSLError(SSLZeroReturnError(6, 'TLS/SSL connection has been closed (EOF) (_ssl.c:997)')))

[robertoszek]

Hi! Right, perhaps increasing the timeout or the retries would help alleviate this issue when the target instance is under heavy load.

I've done that on 1.2.1rc7: pip install -i https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple pleroma-bot==1.2.1rc7

Feel free to try it out and report back if it still happens too often or if at all.

[dawnerd]

Still happening, maybe not as often. Perhaps skip the /.well-known/nodeinfo check if software is manually set in the config, that could reduce the number of requests - or cache it. I'm still trying to dig in on my side too to see if there's something weird going on with nginx, my uptime monitor hasn't reported anything yet.

[robertoszek]

Hmmm, I'll try to look into it more deeply on the bot side too. Minimizing requests by skipping /.well-known/nodeinfo when the software is manually set is a good suggestion, however I see the endpoint that failed on the log you provided was:

/api/v1/accounts/109442566839409369/statuses 

So perhaps the endpoint is not related to the issue and wouldn't help that much, hard to say. I'll implement the skip nonetheless.

I've also seen some people experiencing SSLZeroReturnError with newer versions of Python:

https://stackoverflow.com/questions/72468213/sslzeroreturnerror-error-only-in-python-3-10 https://stackoverflow.com/questions/73788910/https-request-slow-caused-by-ssl-certificate

Perhaps it's worth a shot checking which ones you have installed:

$ python3 --version
$ pip freeze -l | grep urllib
$ python3 -c "import ssl; print(ssl.OPENSSL_VERSION)"

Also, you could check how fast/slow the handshake is by running:

$ openssl s_client -connect opencoaster.net:443 -servername opencoaster.net

I was getting some intermittent errors (but perhaps it was just you restarting nginx)

CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---  

[dawnerd]

Oh yeah you’re right, getting the bad request when running that openssl cmd too. I did just update ubuntu/python but if it’s returning a 504 that’s a me issue.

Ps: what’s your preferred sponsorship method?

[robertoszek]

Sure, I'll keep investigating on my side but do let me know if you happen to find something on yours.

Ps: what’s your preferred sponsorship method?

I really don't have a preference, Liberapay is usually the fastest but I really don't mind if any of the ones listed here is used (Paypal, Ko-Fi, etc.): https://robertoszek.github.io/pleroma-bot/contribute/contributing/#funding Or even GitHub sponsors: https://github.com/sponsors/robertoszek

I list so many options mostly for trying to be accommodating for those who want to sponsor, as not all of them are available in all countries, currencies, etc.

[dawnerd]

I've had pretty good success not with the retries and some server tuning. I upped the number of connections in nginx. The script will still retry but it usually succeeds on the second or third attempt