Using httpsviya and SSL cert verification failed error

[mibret]

We have a customer configuration with a SAS Viya 3.5 environment where it is configured with https/tls. I can make a successful remote shown below, but get the SSL cert error.

$ /apps/anaconda/bin/python Python 3.6.5 |Anaconda, Inc.| (default, Apr 29 2018, 16:14:56) [GCC 7.2.0] on linux Type "help", "copyright", "credits" or "license" for more information.

import saspy sas = saspy.SASsession(cfgname='httpsviya') Please enter userid: xxxxxxx Please enter password: SSL certificate verification failed, creating an unverified SSL connection. Error was:[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833) You can set 'verify=False' to get rid of this message SAS server started using Context SAS Studio compute context with SESSION_ID=8e82fd8b-bb49-469b-bb41-4d9fa5aebf2a-ses0000 quit();

In looking at the Python docs, it appears I need to add CA root cert and possibly intermediates to the Python cacert.pem. Python shows this default location

Python 3.6.5 |Anaconda, Inc.| (default, Apr 29 2018, 16:14:56) [GCC 7.2.0] on linux Type "help", "copyright", "credits" or "license" for more information.

import certifi certifi.where() '/apps/anaconda/lib/python3.6/site-packages/certifi/cacert.pem'

or

$ /apps/anaconda/bin/python -m certifi /apps/anaconda/lib/python3.6/site-packages/certifi/cacert.pem

I added the CA root and SAS Viya server cert (customer's chain) to the cacert.pem in the above path and still get the SSL error. I am trying to understand what I am missing in the setup? Also, I was trying to see if I can set a python env var / python startup / config file to change the default location to another path for this cacert? I am thinking if the python packages get upgraded, the updated cacert version could be overwritten loosing the custom certs added.
Is that even possible?

[tomweber-sas]

Hey @mibret, so it starts:) Sorry, you're the first down this path. So, SSL (TLS) and certificates is an issue only with the HTTP access method. To stat with, saspy has nothing to do with it; it's the HTTPS protocol itself that looks for certificates, wherever it looks (I expect the doc you followed was appropriate), and then tries to verify (by default) the certificate with a CA agency. The certificate provided by Viya, isn't a certificate purchased from a 3-rd party CA agency, so it is not 'verifiable' via those agencies. It IS a valid SSL certificate which means that your HTTPS connection is secure. It's just not a paid for certificate from a CA agency, such that they would 'verify' it's one of theirs (paid for). which has no bearing on it being used and being secure.

So, I (saspy) do default to requesting a verified SSL connection (would have avoided all this, but I wanted to be most secure by default, then back down), and that's where this message comes from, as the Viya cert isn't verifiable. So, I catch that and retry the SSL connection without trying to verify (still TLS!), else this would never work for anyone out of the box. If the Cert wasn't valid to be used for SSL, that would fail, but it is, just not verifiable (paid for from a CA), so it still all works as expected; secure.

You can disable the message, using the supplied Viya certificate, be setting verify:False in you config (then I just get a secure connection w/out attempting to 'verify'). Or you can put a verifiable, purchased Certificate in the search path for HTTPS, and, I guess on the Viya side too; I'm not the expert in this certificate stuff, but I would expect it needs to be on both client and server sides, then it would be verified and still work the same anyway, just without the message.

Does any of that make sense? Hope so. If you have a certificate you can use instead of the provided Viya one, and it can be verifiable, just swap that one in. Else, use the Viya one, and set verify : False and you still have valid secure SSL/TLS interface, but don't get the message about it not being verifiable (cuz it's not; yet still valid).

I can track down someone here with more expertise on this if needed. This is my limited understanding so far. We've run into this here too, with testing, and it's not the most clear and obvious thing even still. It does work as expected, either way, so it's good as far as that goes. It's just a confusing thing when the default Cert isn't a purchased one. And again, I could have ignored it and logged no message, but I want to be the most restrictive by default, which means I'll be getting a lot of these issue once people start trying to connect to Viya.

Thanks, Tom

[mibret]

Hi Tom

Thanks for the info. To clarify your reference “The certificate provided by Viya”. That is the Viya vault certificate in /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts– correct?

In order to deploy to production, I have to review this configuration with the customer’s security office. The SSL error will raise a flag and just setting verify to off will not be sufficient. I will need to show the configuration/setup in use. I can show evidence on the SAS Viya server the https/tls setup but is there some additional logging I can turn on as part of the saspy httpsviya connection that will show more detail as its connection being https etc to show its secure?

Thx in advance.

M

From: Tom Weber notifications@github.com Sent: Monday, November 23, 2020 2:21 PM To: sassoftware/saspy saspy@noreply.github.com Cc: Michael Bretz Michael.Bretz@sas.com; Mention mention@noreply.github.com Subject: Re: [sassoftware/saspy] Using httpsviya and SSL cert verification failed error (#344)

EXTERNAL

Hey @mibrethttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmibret&data=04%7C01%7Cmichael.bretz%40sas.com%7C2b6c13cc84f3416d51ee08d88fe4d956%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C637417560371198488%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6LgRflsJf3fjYvVJvKnpu6sX%2ByCzIf3Jmbv19fkjgow%3D&reserved=0, so it starts:) Sorry, you're the first down this path. So, SSL (TLS) and certificates is an issue only with the HTTP access method. To stat with, saspy has nothing to do with it; it's the HTTPS protocol itself that looks for certificates, wherever it looks (I expect the doc you followed was appropriate), and then tries to verify (by default) the certificate with a CA agency. The certificate provided by Viya, isn't a certificate purchased from a 3-rd party CA agency, so it is not 'verifiable' via those agencies. It IS a valid SSL certificate which means that your HTTPS connection is secure. It's just not a paid for certificate from a CA agency, such that they would 'verify' it's one of theirs (paid for). which has no bearing on it being used and being secure.

So, I (saspy) do default to requesting a verified SSL connection (would have avoided all this, but I wanted to be most secure by default, then back down), and that's where this message comes from, as the Viya cert isn't verifiable. So, I catch that and retry the SSL connection without trying to verify (still TLS!), else this would never work for anyone out of the box. If the Cert wasn't valid to be used for SSL, that would fail, but it is, just not verifiable (paid for from a CA), so it still all works as expected; secure.

You can disable the message, using the supplied Viya certificate, be setting verify:False in you config (then I just get a secure connection w/out attempting to 'verify'). Or you can put a verifiable, purchased Certificate in the search path for HTTPS, and, I guess on the Viya side too; I'm not the expert in this certificate stuff, but I would expect it needs to be on both client and server sides, then it would be verified and still work the same anyway, just without the message.

Does any of that make sense? Hope so. If you have a certificate you can use instead of the provided Viya one, and it can be verifiable, just swap that one in. Else, use the Viya one, and set verify : False and you still have valid secure SSL/TLS interface, but don't get the message about it not being verifiable (cuz it's not; yet still valid).

I can track down someone here with more expertise on this if needed. This is my limited understanding so far. We've run into this here too, with testing, and it's not the most clear and obvious thing even still. It does work as expected, either way, so it's good as far as that goes. It's just a confusing thing when the default Cert isn't a purchased one. And again, I could have ignored it and logged no message, but I want to be the most restrictive by default, which means I'll be getting a lot of these issue once people start trying to connect to Viya.

Thanks, Tom

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsassoftware%2Fsaspy%2Fissues%2F344%23issuecomment-732371891&data=04%7C01%7Cmichael.bretz%40sas.com%7C2b6c13cc84f3416d51ee08d88fe4d956%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C637417560371208480%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=gZsgmQRWURijan%2BVzv9kKeAs5XTzSM4r4tl62yVx4Dw%3D&reserved=0, or unsubscribehttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FANJKDFRVT2MUINU7HOXK3ULSRKYX7ANCNFSM4T7XO7IA&data=04%7C01%7Cmichael.bretz%40sas.com%7C2b6c13cc84f3416d51ee08d88fe4d956%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C637417560371208480%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MV66cjhIT7mylXyicjmIBtdxzZeG9Bd%2FcyOOj2AZ30M%3D&reserved=0.

[tomweber-sas]

Hey @mibret, I understand your constraints. I have to believe that the cert you're asking about is the one I'm talking about, but I can't say that's a fact, as I just don't work on viya and that stuff to be able to swear to it. Let me get up with some folks here who do know that part of it and can verify (no pun intended :) ) what you are asking. I believe that's all the case, but that doesn't prove anything, I know. Tom

[tomweber-sas]

I found someone here (some folks are off this week), who knows this way better than I do. Will be updating this is a bit with his response. The short answer is that this is still all secure, but I know that's not an answer for security folks. Hopefully, they will actually know this better than I and understand that it is ok :)

But, more to come ...

[tomweber-sas]

@mibret, Here's the info I received from one of our folks here. Some more questions to narrow things down, and perhaps an answer that may address this (SSL_CERT_FILE environment variable for the client side) Python appears to honor that.

General guidance
----------------
One good customer facing document that we provide is this one:

Encryption in SAS® Viya® 3.5: Data in Motion
https://go.documentation.sas.com/api/docsets/calencryptmotion/3.5/content/calencryptmotion.pdf
Mibret, would recommend that you review that document if you have not yet seen it.

Regarding the certificate being used by the Apache httpd process in Viya
------------------------------------------------------------------------
Mibret, here are some questions for you that might help us to guide you further.

1.  What certificate is being used by the Apache httpd process in Viya?
2.  Have you configured the Apache httpd process in Viya to use a custom certificate?
    ..or..
    Is the Apache httpd process in Viya using the default OOTB certificate that Viya created?
3.  Has the certificate on the server side (that is, the certificate being used by Apache) expired?
    If the certificate has expired, please refer to
    "Update SAS Viya Default Self-Signed Certificate to Extend the Expiration Date" within that same doc:  
    https://go.documentation.sas.com/api/docsets/calencryptmotion/3.5/content/calencryptmotion.pdf

Additional thoughts
-------------------
1.  On your client, you can try to export SSL_CERT_FILE=/path/to/customer.pem before running your Python code.

[mibret]

See information below.

Customer server certs are used. Apached httpd installed with mod ssl and server cert and key where configured in Apache httpd before Viya deployment so server cert is configured up front as outlined in the Viya deployment guide. The customer server certificate is valid for 3 years and does not expire until 4/2022.

I have been testing use of SSL_CERT_FILE linux environment variable. Note the results below.

If I take the cacert.pem from the default location of python in ../python3.6/site-packages/certify/cacert.pem and copy a version to my home directory. I append the customer’s CA root cert to this file. I masked the server and userid info in the test below.

user001@ ~]$ echo $SSL_CERT_FILE /home/b/user001/cacert.pem [user001@ ~]$ /apps/anaconda/bin/python Python 3.6.5 |Anaconda, Inc.| (default, Apr 29 2018, 16:14:56) [GCC 7.2.0] on linux Type "help", "copyright", "credits" or "license" for more information.

import os print(os.environ['SSL_CERT_FILE']) /home/b/user001/cacert.pem import saspy sas = saspy.SASsession(cfgname='httpsviya') Please enter userid: user001 Please enter password: SAS server started using Context SAS Studio compute context with SESSION_ID=68e4178e-4f49-4b58-900e-49453ce46397-ses0000

Note that I no longer get the SSL error. Based on this I have some follow up questions.

1. In the code above to use the linux env var, I need to do the import os.

2. Yesterday in testing the default location of the python cacert is

import certify

certify.where()

‘/apps/anaconda/lib/python3.6/site-packages/certifi/cacert.pem’

I had the system admin append the customer’s CA root cert to this …/certifi/cacert.pem file. Since this is the default location, I expected the python session to use this updated cert but it does not and issues the SSL Cert error.

So for the SSL_FILE_CERT option I have to issue an import os to make the environment variable available. I suspect even though I placed the customer’s CA root in the default path above, it’s not used in the python session. I suspect I have to use some module to use it.

Is there a way to force in either option to use the cacert.pem with the customer’s CA root without a user having to set it within the python code?

Thx

From: Tom Weber notifications@github.com Sent: Monday, November 23, 2020 4:47 PM To: sassoftware/saspy saspy@noreply.github.com Cc: Michael Bretz Michael.Bretz@sas.com; Mention mention@noreply.github.com Subject: Re: [sassoftware/saspy] Using httpsviya and SSL cert verification failed error (#344)

EXTERNAL

@mibrethttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmibret&data=04%7C01%7Cmichael.bretz%40sas.com%7C99db8fc44278491581b008d88ff94cb3%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C637417648178813765%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dMSCV1e79wzgI9ReAUd%2FyXkxwN9x8lN7wrqOEY%2B8oSI%3D&reserved=0, Here's the info I received from one of our folks here. Some more questions to narrow things down, and perhaps an answer that may address this (SSL_CERT_FILE environment variable for the client side) Python appears to honor that.

General guidance

---

One good customer facing document that we provide is this one:

Encryption in SAS® Viya® 3.5: Data in Motion

https://go.documentation.sas.com/api/docsets/calencryptmotion/3.5/content/calencryptmotion.pdf

Mibret, would recommend that you review that document if you have not yet seen it.

Regarding the certificate being used by the Apache httpd process in Viya

---

Mibret, here are some questions for you that might help us to guide you further.

1. What certificate is being used by the Apache httpd process in Viya?

2. Have you configured the Apache httpd process in Viya to use a custom certificate?

   ..or..

   Is the Apache httpd process in Viya using the default OOTB certificate that Viya created?

3. Has the certificate on the server side (that is, the certificate being used by Apache) expired?

   If the certificate has expired, please refer to

   "Update SAS Viya Default Self-Signed Certificate to Extend the Expiration Date" within that same doc:

   https://go.documentation.sas.com/api/docsets/calencryptmotion/3.5/content/calencryptmotion.pdf

Additional thoughts

---

1. On your client, you can try to export SSL_CERT_FILE=/path/to/customer.pem before running your Python code.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsassoftware%2Fsaspy%2Fissues%2F344%23issuecomment-732445167&data=04%7C01%7Cmichael.bretz%40sas.com%7C99db8fc44278491581b008d88ff94cb3%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C637417648178823757%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zkl528dZ6ntwFhTPiT887uPNI9tpFJJuXxlkPrmR8JU%3D&reserved=0, or unsubscribehttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FANJKDFQFOYUIQV6HTO3NJVDSRLJ47ANCNFSM4T7XO7IA&data=04%7C01%7Cmichael.bretz%40sas.com%7C99db8fc44278491581b008d88ff94cb3%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C637417648178833750%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=b4p%2F8jysliCEaHk5MEcbyT%2FRWCi%2FS5FXcCGYcFrpyw4%3D&reserved=0.

[tomweber-sas]

Hey @mibret that's good that it works as it should, using those instructions. We were able to reproduce and do the same thing here:

Yes. The approach above is a supported approach. It's documented in the PDF file: 
https://go.documentation.sas.com/api/docsets/calencryptmotion/3.5/content/calencryptmotion.pdf
See the Configure SAS 9.4 Clients to Work with SAS Viya section.
1.  Get the trustedcerts.pem from the Viya system. 
2.  Put that trustedcerts.pem file on your client. 
3.  export SSL_CERT_FILE to point to it # if you need to (sometimes it just works without doing this step) 
4.  Run/use/program-against saspy

scp viyahost:/opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem /tmp/trustedcerts-from-viya-deployment.pem
export SSL_CERT_FILE=/tmp/trustedcerts-from-viya-deployment.pem

However, I don't know what search path, which piece of software that actually uses these certs follows. Seems it can vary, and it can be the ssl libraries of the OS, as opposed to python itself. I just don't know. I strace'ed my python process and it looked in this directory (and didn't find the cert): /etc/pki/tls/cert.pem as I haven't done anything special in my environment. Then I set the SSL_CERT_FILE env var and reran and that file was then the one being used, and it verified as expected (after copying the viya cert there, of course).

So, if on your system, you find the path that is actually being used, then I suspect you can put it there and then not need to set the SSL_CERT_FILE variable. I did that w/ /etc/pki/tls/cert.pem, and unset the SSL_CERT_FILE var and it then picked it up from there and verified. So, it's really a matter of wherever the ssl libraries on your system look for the file.

Tom

[mibret]

Hi,

Yep. In testing my assumption was the default cacert.pem location was based on what /apps/anaconda/bin/python -m certifi and

import certify certify.where() Returned which was /apps/anaconda/lib/python3.6/site-packages/certify/cacert.pem which is incorrect.

Using

import ssl print (ssl.get_default_verify_paths())

Returns the location of /apps/anaconda/ssl/certs folder. Once I had the system admin place an updated cacerts.pem containing the customer’s root cert, my httpsviya connection runs with no SSL error.

Thanks for your assistance.

M From: Tom Weber notifications@github.com Sent: Tuesday, November 24, 2020 12:11 PM To: sassoftware/saspy saspy@noreply.github.com Cc: Michael Bretz Michael.Bretz@sas.com; Mention mention@noreply.github.com Subject: Re: [sassoftware/saspy] Using httpsviya and SSL cert verification failed error (#344)

EXTERNAL

Hey @mibrethttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmibret&data=04%7C01%7Cmichael.bretz%40sas.com%7C03e0c11f2edd4431613808d8909bf7fa%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C637418346863379804%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=S2eWbeSks8%2F%2FWHC9pi3oHLlCr6EL%2F77RuyGCKy2YDos%3D&reserved=0 that's good that it works as it should, using those instructions. We were able to reproduce and do the same thing here:

Yes. The approach above is a supported approach. It's documented in the PDF file:

https://go.documentation.sas.com/api/docsets/calencryptmotion/3.5/content/calencryptmotion.pdf

See the Configure SAS 9.4 Clients to Work with SAS Viya section.

1. Get the trustedcerts.pem from the Viya system.

2. Put that trustedcerts.pem file on your client.

3. export SSL_CERT_FILE to point to it # if you need to (sometimes it just works without doing this step)

4. Run/use/program-against saspy

scp viyahost:/opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem /tmp/trustedcerts-from-viya-deployment.pem

export SSL_CERT_FILE=/tmp/trustedcerts-from-viya-deployment.pem

However, I don't know what search path, which piece of software that actually uses these certs follows. Seems it can vary, and it can be the ssl libraries of the OS, as opposed to python itself. I just don't know. I strace'ed my python process and it looked in this directory (and didn't find the cert): /etc/pki/tls/cert.pem as I haven't done anything special in my environment. Then I set the SSL_CERT_FILE env var and reran and that file was then the one being used, and it verified as expected (after copying the viya cert there, of course).

So, if on your system, you find the path that is actually being used, then I suspect you can put it there and then not need to set the SSL_CERT_FILE variable. I did that w/ /etc/pki/tls/cert.pem, and unset the SSL_CERT_FILE var and it then picked it up from there and verified. So, it's really a matter of wherever the ssl libraries on your system look for the file.

Tom

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsassoftware%2Fsaspy%2Fissues%2F344%23issuecomment-733116400&data=04%7C01%7Cmichael.bretz%40sas.com%7C03e0c11f2edd4431613808d8909bf7fa%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C637418346863379804%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MTQUemlfKUDRIR%2FiTc8mYwCVtlQEs%2FH3ygckl1utpOw%3D&reserved=0, or unsubscribehttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FANJKDFRO7UXVO56EYGLAI4DSRPSLVANCNFSM4T7XO7IA&data=04%7C01%7Cmichael.bretz%40sas.com%7C03e0c11f2edd4431613808d8909bf7fa%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C637418346863379804%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=wQ0Zu28QrX1olTtGUcNXrzdzQKoJigaJNJKMfhOdKj8%3D&reserved=0.

[tomweber-sas]

Hey, that's great news, and info. Yet another path that can be found and works. Even the folks here that actually deal with this (more than me anyway), say there's no one answer to any of this; it can vary by app and os. So, that's good to know and will be able to help others too! You want to close this out?

I submitted that and got the original path I saw as well as that SSL_CERT_FILE var as being something it honors; it's coming together now :) ...

>>> ssl.get_default_verify_paths()
DefaultVerifyPaths(cafile='/etc/pki/tls/cert.pem', capath='/etc/pki/tls/certs', 
                   openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/etc/pki/tls/cert.pem', 
                   openssl_capath_env='SSL_CERT_DIR', openssl_capath='/etc/pki/tls/certs')
>>>

Thanks! Tom

[mibret]

Yes please. Have a good Thanksgiving.

From: Tom Weber notifications@github.com Sent: Tuesday, November 24, 2020 1:42 PM To: sassoftware/saspy saspy@noreply.github.com Cc: Michael Bretz Michael.Bretz@sas.com; Mention mention@noreply.github.com Subject: Re: [sassoftware/saspy] Using httpsviya and SSL cert verification failed error (#344)

EXTERNAL

Hey, that's great news, and info. Yet another path that can be found and works. Even the folks here that actually deal with this (more than me anyway), say there's no one answer to any of this; it can vary by app and os. So, that's good to know and will be able to help others too! You want to close this out?

I submitted that and got the original path I saw as well as that SSL_CERT_FILE var as being something it honors; it's coming together now :) ...

ssl.get_default_verify_paths()

DefaultVerifyPaths(cafile='/etc/pki/tls/cert.pem', capath='/etc/pki/tls/certs',

               openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/etc/pki/tls/cert.pem',

               openssl_capath_env='SSL_CERT_DIR', openssl_capath='/etc/pki/tls/certs')

Thanks! Tom

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsassoftware%2Fsaspy%2Fissues%2F344%23issuecomment-733163290&data=04%7C01%7Cmichael.bretz%40sas.com%7Cbd13280a761d40de156208d890a8959c%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C637418401040911555%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NSfSsC2jJlpnz%2FyIrd8oqrf32OykdHzvqP1gULKp8Wk%3D&reserved=0, or unsubscribehttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FANJKDFWCO44A2N2Q2N42OKDSRP46FANCNFSM4T7XO7IA&data=04%7C01%7Cmichael.bretz%40sas.com%7Cbd13280a761d40de156208d890a8959c%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C637418401040911555%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=H0K8xnIfVAV9kJZHwzoyPFlwm0oXN7aj5L3OwYfXwps%3D&reserved=0.

[tomweber-sas]

Thanks! You too! Tom