I am trying to configure a basic SSL authentification with RabbitMQ using this RabbitMQ container.
After following all the steps mentioned, I fail to run the either the consumer or the producer from the Python examples. The error that appears is the following one:
Connection to 127.0.0.1:5671 failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645) ConnectionClosed
The certificates cacert.pem, cert.pem and key.pem I have asumed that are the cacert from the directory testca, and the cert.pem and key.pem should be the ones that can be found in the client and server directories (depending on whether the consumer or the produces is executed).
Therefore, my question is if these asumptions are right or not and finally, how could the aforementioned example should be executed in order to not obtain the SSL error that appears either after the execution of the consumer or the producer.
Related
I am running python 3.9.1 I have some Django Admin Actions which create and then download some PDFs. When running this on my local machine (Windows 10) I have recently started getting the following error message:
SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1123)
Any ideas on how I can deal with this? The Django app works perfectly on the server, the problem is only on my local host.
In my case, I was interacting with IoT (Internet of Things) device APIs and had a LetsEncrypt certificate that expired. I downloaded the new LetsEncrypt cert at: https://valid-isrgrootx1.letsencrypt.org/
More explanation:
My error occurred on a Windows Python client requesting API information from an IoT web server. I determined which client certificate was expired by viewing existing certificates dates in Windows:
Open Powershell as admin, then: Get-Childitem cert:\LocalMachine\root |format-list
The expired cert was owned by LetsEncrypt. More information about the expired cert: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/.
In my case, the LetsEncrypt root certificate expired at the end of September and was replaced with the newer cert going forward. To implement the new cert, visit any webpage that uses that certificate from your failing client. In the case of LetsEncrypt, visit their cert demo page at: https://valid-isrgrootx1.letsencrypt.org/, and your certificate store will update automatically.
I'm trying to request some data from a website using suds in Python. I'm getting urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)> while creating suds client. I do not get this error when I'm running the project locally but this issue happens when I try to deploy this project to a Linux host so that it can be automated.
One thing to note is, this python code lies behind AppProxy so that it can connect to internet. I have verified using a CURL request that the remote hosts is able to connect to the website.
I'm new to SSL Certificate thing not so sure about this certificate issue, do I need to install any server certificates on the hosts so that it can verified by SSL Validation? Any leads would be helpful. Thanks.
When setting up my Kafka Client locally on my mac without specifying ssl.ca.location, it works. But when I run it on a docker container locally I get the error: Failed to verify broker certificate: unable to get local issuer certificate. How can I solve this?
driver_options = {
'bootstrap.servers': kafka_brokers_sasl,
'sasl.mechanisms': 'PLAIN',
'security.protocol': 'SASL_SSL',
'sasl.username': 'token',
'sasl.password': api_key,
'log.connection.close' : True,
#'ssl.ca.location': ''
}
I have seen multiple proposals for trying this, for example this solution: https://github.com/henadzit/cloudkarafka-test-project, but can't get it to work.
Failed to verify broker certificate: unable to get local issuer certificate
Indicates that librdkafka is not able to find the root CA certificate on the server. Normally you have two options:
You either let librdkafka locate the certificate on the host
or you can specify the location of the certificate
Docker images though, are usually unable to locate the CA certificate so you can either install it on the image or specify its location in librdkafka's configuration
To do so, you need to specify ca-cert's location in ssl.ca.location
EDIT:
In order to create certificates you can follow Confluent's Security tutorial which is a step-by-step guide.
In order to encrypt with SSL on Kubernetes you can use kube-lego
I have installed Openstack CLI and when I try to use any command say
openstack server list
it is throwing the below error
Failed to discover available identity versions when contacting
https://44.128.19.51:5000/v3. Attempting to parse version from URL.
SSL exception connecting to https://44.128.19.51:5000/v3/auth/tokens:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:765)
I tried setting the export OS_CACERT=/path/to/ca.crt, but it is not working.
You must provide a proper authorization url. Sometimes the port of the url can be wrong. Like in my case, the authorization url had port 1300 instead of 5000.
And have you sourced your RC file?
Other than for proper authorization url, proper CACERT path or proper authorization certificates it should show this error.
A long time has passed since the question, but if someone like myself faces the problem, enter the "OpenStack" command with the flag "--insecure".
Here's the related documentation.
I'm having problem developing a "provider" in APNS. My server is trying to send messages using apns-client, it seems there are no problems occuring while sending messages, but the device isn't receiving any messages at all.
Recently I've changed the *.pem file to a new one. Messages were properly received while using the previous *.pem file, so I'm sure that there are no problems at server connections and sending script (written in Python). The reason is, probably, because the old *.pem file is valid but the new *.pem file is not.
I strongly desire to have an "error" response from the APNS server if the *.pem file is invalid, but it seems that the APNS server or apns-client library isn't returning any error signals even if *.pem file is invalid. I've proved this fact by adding one hundred 'a's to the line before before -----END RSA PRIVATE KEY----- in *.pem, and running the same python script. Yes, it still didn't receive any error messages.
Since APNS server is returning no error messages, it's nearly impossible to check if the *.pem file is valid... Aren't there any methods to check if the *.pem file is valid?
Here's some troubleshooting info suggested by Apple:
Problems Connecting to the Push Service
One possibility is that your server is unable to connect to the push
service. This can mean that you don't have the certificate chain
needed for TLS/SSL to validate the connection to the service. In
addition to the SSL identity (certificate and associated private key)
created by Member Center, you should also install the Entrust CA
(2048) root certificate on your provider. This allows TLS/SSL to
verify the full APNs server cert chain. If you need to get this root
certificate, you can download it from Entrust's site. Also verify that
these identities are installed in the correct location for your
provider and that your provider has permission to read them.
You can test the TLS/SSL handshake using the OpenSSL s_client command,
like this:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert
YourSSLCertAndPrivateKey.pem -debug -showcerts -CAfile
server-ca-cert.pem
where server-ca-cert.pem is the Entrust CA (2048) root certificate.
Be sure the SSL identity and the hostname are the correct ones for the
push environment you're testing. You can configure your App ID in
Member Center separately for the sandbox and production environment,
and you will be issued a separate identity for each environment.
Using the sandbox SSL identity to try to connect to the production
environment will return an error like this:
CRITICAL | 14:48:40.304061 | Exception creating ssl connection to
Apple: [Errno 1] _ssl.c:480: error:14094414:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate revoked
To test you PRODUCTION cert, open Terminal and do this:
openssl s_client -connect gateway.push.apple.com:2195 -cert PushProdCer.pem -key PushProdKey.pem
I am not familiar with the python-client you are using but surely there is a way to simply attempt opening a connection with Apple's PNS servers and detecting whether that connection failed or not. If the connection fails, then something is wrong with the PEM file - either the format or the certificate values themselves.
If you want to get an error message that's a little more explicative than "pass or fail," I recommend you look into 3rd party shell scripts that can return some basic information about the PEM file. This thread contains a few sample scripts.
Of course, you can also check for some basic format validations that are widely available. I provided one such example here but there are others.