Closed spazm closed 7 years ago
Hey @spazm, I believe this may be related to #979 which has been addressed in master with #980. If you have a moment could you run your codebase with the current master branch and see if this solves the issue?
Checked out master (3de23d0edef737a8b72d33140a3ad44af19a565b) and installed. Fixed! Thanks for the quick response, @nateprewitt.
LGTM. 👍
pip install urllib3==1.17 && ./urllib3_test_direct.py
Downloading/unpacking urllib3==1.17
Downloading urllib3-1.17.tar.gz (181Kb): 181Kb downloaded
Running setup.py egg_info for package urllib3
warning: no previously-included files matching '*' found under directory 'docs/_build'
Installing collected packages: urllib3
Found existing installation: urllib3 dev
Uninstalling urllib3:
Successfully uninstalled urllib3
Running setup.py install for urllib3
warning: no previously-included files matching '*' found under directory 'docs/_build'
Successfully installed urllib3
Cleaning up...
Traceback (most recent call last):
File "./urllib3_test_direct.py", line 13, in <module>
resp = connection_pool.request('GET', url)
File "/mnt/my-candidates/env-test/local/lib/python2.7/site-packages/urllib3/request.py", line 66, in request
**urlopen_kw)
File "/mnt/my-candidates/env-test/local/lib/python2.7/site-packages/urllib3/request.py", line 87, in request_encode_url
return self.urlopen(method, url, **extra_kw)
File "/mnt/my-candidates/env-test/local/lib/python2.7/site-packages/urllib3/poolmanager.py", line 244, in urlopen
response = conn.urlopen(method, u.request_uri, **kw)
File "/mnt/my-candidates/env-test/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 594, in urlopen
chunked=chunked)
File "/mnt/my-candidates/env-test/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 350, in _make_request
self._validate_conn(conn)
File "/mnt/my-candidates/env-test/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 833, in _validate_conn
conn.connect()
File "/mnt/my-candidates/env-test/local/lib/python2.7/site-packages/urllib3/connection.py", line 324, in connect
cert = self.sock.getpeercert()
File "/mnt/my-candidates/env-test/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 312, in getpeercert
'subjectAltName': get_subj_alt_name(x509)
File "/mnt/my-candidates/env-test/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 185, in get_subj_alt_name
for name in ext.get_values_for_type(x509.DNSName)
File "/mnt/my-candidates/env-test/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 141, in _dnsname_to_stdlib
name = idna.encode(name)
File "/mnt/my-candidates/env-test/local/lib/python2.7/site-packages/idna/core.py", line 355, in encode
result.append(alabel(label))
File "/mnt/my-candidates/env-test/local/lib/python2.7/site-packages/idna/core.py", line 276, in alabel
check_label(label)
File "/mnt/my-candidates/env-test/local/lib/python2.7/site-packages/idna/core.py", line 253, in check_label
raise InvalidCodepoint('Codepoint {0} at position {1} of {2} not allowed'.format(_unot(cp_value), pos+1, repr(label)))
idna.core.InvalidCodepoint: Codepoint U+002A at position 1 of u'*' not allowed
$ pip install ./urllib3/ && ./urllib3_test_direct.py
Unpacking ./urllib3
Running setup.py egg_info for package from file:///mnt/my-candidates/urllib3
warning: no previously-included files matching '*' found under directory 'docs/_build'
Installing collected packages: urllib3
Found existing installation: urllib3 1.17
Uninstalling urllib3:
Successfully uninstalled urllib3
Running setup.py install for urllib3
warning: no previously-included files matching '*' found under directory 'docs/_build'
Successfully installed urllib3
Cleaning up...
{
"name" : "rdb-test-andrew-01.prod",
"cluster_name" : "rdb-test-andrew.prod",
"version" : {
"number" : "2.4.0",
"build_hash" : "ce9f0c7394dee074091dd1bc4e9469251181fc55",
"build_timestamp" : "2016-08-29T09:14:17Z",
"build_snapshot" : false,
"lucene_version" : "5.5.2"
},
"tagline" : "You Know, for Search"
}
urllib3_test_direct.py
(same as previous comment)
#!/usr/bin/env python
import certifi
import urllib3
import urllib3.contrib.pyopenssl
urllib3.contrib.pyopenssl.inject_into_urllib3()
url = u"https://rdb-test-andrew-01.prod.example.com:9200"
connection_pool = urllib3.PoolManager(
cert_reqs='CERT_REQUIRED',
ca_certs=certifi.where())
resp = connection_pool.request('GET', url)
print resp.data
Great, glad it helped @spazm.
Wondering if an update to the urllib3 package can be published with this fix? cc @haocs Thanks
It can do. It's on my schedule, but won't happen before next week.
Okay thanks for the reply.
Error
Overview
I'm seeing an
InvalidCodepoint
exception connecting to my elasticsearch server via ssl after upgrading to urllib3==1.17. This worked correctly with urllib3=1.16.What can I do to help debug this issue? Can I turn up logging?
Is this a problem with how elasticsearch is calling urllib3?I've simplified with a direct urllib3 example.Lemma 1.
In 1.17 urllib3 switched to using idna.
Lemma 2
The host has a wildcard certificate valid for
*.prod.example.com
Hypothesis
I assume the wildcard certificate is somehow related to the
u'*'
in the invalid code point error provided from idna.Reproduction Steps
Failing elasticsearch script
urllib3_test.py:
Recreate environment
Installed versions:
pip freeze
Working example in urllib3==1.16
Simplified test
Certificate Info
ObNote
replaced our real commercial domain name with example.com.