When setting up my Kafka Client locally on my mac without specifying ssl.ca.location, it works. But when I run it on a docker container locally I get the error: Failed to verify broker certificate: unable to get local issuer certificate. How can I solve this?
driver_options = {
'bootstrap.servers': kafka_brokers_sasl,
'sasl.mechanisms': 'PLAIN',
'security.protocol': 'SASL_SSL',
'sasl.username': 'token',
'sasl.password': api_key,
'log.connection.close' : True,
#'ssl.ca.location': ''
}
I have seen multiple proposals for trying this, for example this solution: https://github.com/henadzit/cloudkarafka-test-project, but can't get it to work.
Failed to verify broker certificate: unable to get local issuer certificate
Indicates that librdkafka is not able to find the root CA certificate on the server. Normally you have two options:
You either let librdkafka locate the certificate on the host
or you can specify the location of the certificate
Docker images though, are usually unable to locate the CA certificate so you can either install it on the image or specify its location in librdkafka's configuration
To do so, you need to specify ca-cert's location in ssl.ca.location
EDIT:
In order to create certificates you can follow Confluent's Security tutorial which is a step-by-step guide.
In order to encrypt with SSL on Kubernetes you can use kube-lego
Related
I am running python 3.9.1 I have some Django Admin Actions which create and then download some PDFs. When running this on my local machine (Windows 10) I have recently started getting the following error message:
SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1123)
Any ideas on how I can deal with this? The Django app works perfectly on the server, the problem is only on my local host.
In my case, I was interacting with IoT (Internet of Things) device APIs and had a LetsEncrypt certificate that expired. I downloaded the new LetsEncrypt cert at: https://valid-isrgrootx1.letsencrypt.org/
More explanation:
My error occurred on a Windows Python client requesting API information from an IoT web server. I determined which client certificate was expired by viewing existing certificates dates in Windows:
Open Powershell as admin, then: Get-Childitem cert:\LocalMachine\root |format-list
The expired cert was owned by LetsEncrypt. More information about the expired cert: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/.
In my case, the LetsEncrypt root certificate expired at the end of September and was replaced with the newer cert going forward. To implement the new cert, visit any webpage that uses that certificate from your failing client. In the case of LetsEncrypt, visit their cert demo page at: https://valid-isrgrootx1.letsencrypt.org/, and your certificate store will update automatically.
I'm trying to request some data from a website using suds in Python. I'm getting urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)> while creating suds client. I do not get this error when I'm running the project locally but this issue happens when I try to deploy this project to a Linux host so that it can be automated.
One thing to note is, this python code lies behind AppProxy so that it can connect to internet. I have verified using a CURL request that the remote hosts is able to connect to the website.
I'm new to SSL Certificate thing not so sure about this certificate issue, do I need to install any server certificates on the hosts so that it can verified by SSL Validation? Any leads would be helpful. Thanks.
Following error occurs only with docker app in python when making request to an https url.
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)>
Outside of docker, the app works. I can fetch the same URL inside the docker image of other language app such as dotnet.
I have tried:
RUN update-ca-certificates
Install certfi library and manually supply the certificates during making the call
Manually insert the certificates that comes with certify library in different locations of docker images such as /usr/local/share/ca-certificates/, /etc/ssl/certs/ and RUN update-ca-certificates
Tried different versions (3.6.9, 3.8.4) and providers (alpine, buster, slim-buster ) of python.
Setting different env variables such as REQUESTS_CA_BUNDLE, SSL_CERT_FILE etc.
Use different libraries such as requests, urllib, urllib3
.... and really large number of different things.
It of course works when I turn the verify off, but I want to keep verification.
I was having this issue in an ARM Ubuntu 20.04 container.
I installed ca-certificates and curl, but I still couldn't use curl. For me the fix ended up being adding the following before calling curl:
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
I have installed Openstack CLI and when I try to use any command say
openstack server list
it is throwing the below error
Failed to discover available identity versions when contacting
https://44.128.19.51:5000/v3. Attempting to parse version from URL.
SSL exception connecting to https://44.128.19.51:5000/v3/auth/tokens:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:765)
I tried setting the export OS_CACERT=/path/to/ca.crt, but it is not working.
You must provide a proper authorization url. Sometimes the port of the url can be wrong. Like in my case, the authorization url had port 1300 instead of 5000.
And have you sourced your RC file?
Other than for proper authorization url, proper CACERT path or proper authorization certificates it should show this error.
A long time has passed since the question, but if someone like myself faces the problem, enter the "OpenStack" command with the flag "--insecure".
Here's the related documentation.
I need to create simple https server with Python. I've used this tutorial https://www.piware.de/2011/01/creating-an-https-server-in-python/ and it works with one small "but".
When i try to curl my server (ex. curl -vvv https://domain.com) response looks similar to:
curl: (60) SSL certificate problem: unable to get local issuer
certificate More details here: LINK
Thanks in advance for any help.
Try using your complete certificate chain instead of only your certificate (and your key) on your script:
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='/path/to/fullchain.pem', server_side=True, keyfile='/path/to/server.key')
If you're using a self-signed certificate, cURL won't accept it unless you install it on your local CA certs or run cURL with -k:
curl -vvvk https://domain.com
The certificate chain is just a series of certificates, from your local issued up to the global (including intermediates), CAs usually provide it.