SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

Posted on
Mon Jun 04, 2018 7:15 am
Different Computers offline
User avatar
Posts: 1846
Joined: Jan 02, 2016
Location: East Coast

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

I've got a script that grabs a pic from a camera via ssh. Yesterday I upgraded the camera software and apparently it installed a new/different self-signed certificate too.

I've removed the old cert from the known-hosts, and signed back in to it manually to add the new cert. Not getting warnings at the command line now.

But when I run the script, I still get
Code: Select all
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)


Is this just some need to restart the server machine so Python reads known-hosts again, or is Python looking somewhere else? Something else?

SmartThings refugee, so happy to be on Indigo. 10.13.6 on an i5 MBP w/Harmony Hub, Hue, DomoPad, Dynamic URL, Device Extensions, HomeKit Bridge, MatplotLib, Plex, uniFAP, Wunderground, Nanoleaf, LED Simple Effects, Airfoil Pro, Grafana.

Posted on
Mon Jun 04, 2018 9:12 am
jay (support) offline
Site Admin
User avatar
Posts: 14739
Joined: Mar 19, 2008
Location: Austin, Texas

Re: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

What macOS version are you on? What python http library are you using to download the pict? This looks suspiciously like the TLS issue.

Jay (Indigo Support)
Twitter | Facebook | LinkedIn

Posted on
Mon Jun 04, 2018 9:35 am
Different Computers offline
User avatar
Posts: 1846
Joined: Jan 02, 2016
Location: East Coast

Re: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

I'm on 10.12.6 and since I don't know what you mean by "which library" here's the whole script that causes the error, with URL details obscured.
Code: Select all
from PIL import Image
import math
import requests
from requests.auth import HTTPBasicAuth
import StringIO
pic_destination = "/Library/Application Support/Perceptive Automation/Indigo 7/IndigoWebServer/public/name.jpg"
reply = requests.get('http://192.168.999.999/cgi-bin/currentpic.cgi', auth=HTTPBasicAuth('user', 'pass'))
im = Image.open(StringIO.StringIO(reply.content))
width, height = im.size
im = im.resize((int(math.floor(width)), int(math.floor(height))), Image.ANTIALIAS)
im.save(pic_destination,optimize=True,quality=80)

SmartThings refugee, so happy to be on Indigo. 10.13.6 on an i5 MBP w/Harmony Hub, Hue, DomoPad, Dynamic URL, Device Extensions, HomeKit Bridge, MatplotLib, Plex, uniFAP, Wunderground, Nanoleaf, LED Simple Effects, Airfoil Pro, Grafana.

Posted on
Mon Jun 04, 2018 10:35 am
jay (support) offline
Site Admin
User avatar
Posts: 14739
Joined: Mar 19, 2008
Location: Austin, Texas

Re: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

So, you're using the requests library to do the http request and you're on Sierra, which has the old ssl implementation that doesn't support TLS 1+. If I had to guess, I'd say that when you updated the firmware in your camera it started requiring TLS 1+ which Apple's built-in Python doesn't support pre-High Sierra.

If that's truly the issue, you can work around it by using curl from a shell script to do the download rather than using the requests library (the curl command-line tool does support newer TLS). Or you can upgrade to High Sierra (which of course has it's own potential issues). This is truly a scenario where Apple is just one big bundle of FAIL.

Jay (Indigo Support)
Twitter | Facebook | LinkedIn

Posted on
Mon Jun 04, 2018 10:45 am
Different Computers offline
User avatar
Posts: 1846
Joined: Jan 02, 2016
Location: East Coast

Re: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

Thanks for the explanations.

I'll poke at curl & see what works. Of course, that was what I started with, before I realized I could do it simpler in Python!

SmartThings refugee, so happy to be on Indigo. 10.13.6 on an i5 MBP w/Harmony Hub, Hue, DomoPad, Dynamic URL, Device Extensions, HomeKit Bridge, MatplotLib, Plex, uniFAP, Wunderground, Nanoleaf, LED Simple Effects, Airfoil Pro, Grafana.

Posted on
Mon Jun 04, 2018 1:49 pm
Different Computers offline
User avatar
Posts: 1846
Joined: Jan 02, 2016
Location: East Coast

Re: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

From my searching, seems like maybe I could use urllib instead of requests. Does that have the same TLS problem?

Of course, then I need to figure out how to do basic auth in urllib.

SmartThings refugee, so happy to be on Indigo. 10.13.6 on an i5 MBP w/Harmony Hub, Hue, DomoPad, Dynamic URL, Device Extensions, HomeKit Bridge, MatplotLib, Plex, uniFAP, Wunderground, Nanoleaf, LED Simple Effects, Airfoil Pro, Grafana.

Posted on
Mon Jun 04, 2018 2:33 pm
Different Computers offline
User avatar
Posts: 1846
Joined: Jan 02, 2016
Location: East Coast

Re: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

Looks like urllib does have the same TLS problem, as I was trying to make it work and got the same Python error.

SmartThings refugee, so happy to be on Indigo. 10.13.6 on an i5 MBP w/Harmony Hub, Hue, DomoPad, Dynamic URL, Device Extensions, HomeKit Bridge, MatplotLib, Plex, uniFAP, Wunderground, Nanoleaf, LED Simple Effects, Airfoil Pro, Grafana.

Posted on
Mon Jun 04, 2018 3:54 pm
jay (support) offline
Site Admin
User avatar
Posts: 14739
Joined: Mar 19, 2008
Location: Austin, Texas

Re: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

Different Computers wrote:
Looks like urllib does have the same TLS problem, as I was trying to make it work and got the same Python error.


Correct. The issue is the SSL library that Apple compiled in with their Python installation up to Sierra only supports old TLS. In High Sierra, they compiled Python using a newer library that supports TLS 1+.

Jay (Indigo Support)
Twitter | Facebook | LinkedIn

Posted on
Mon Jun 04, 2018 4:36 pm
lanbrown offline
Posts: 667
Joined: Sep 26, 2017

Re: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

Curl uses the Secure Transport library which is what Safari also uses. Secure Transport is homegrown and proprietary to Apple. Python uses the old 0.9.8 OpenSSL library which does not support TLS 1.1 and higher. Starting with High Sierra, Apple installed LibreSSL which does support TLS 1.2 and Python uses it instead of OpenSSL. Given that Apple wanted Python to run properly, they either need to go with a newer version of OpenSSL or LibreSSL. They went with LibreSSL which was a wise move given all of the past issues with OpenSSL. LibreSSL is designed to be compatible with OpenSSL (just a lot of cleaned up code and old platforms removed). Secure Transport is not designed to be API compatible with OpenSSL; so the use of it for Python would not be wise.

This is why it causes havoc for developers since if they use High Sierra they won't have an issue with TLS 1.2 sites but users will if they are on Sierra and below.

Posted on
Mon Jul 09, 2018 1:16 am
mclass offline
Posts: 160
Joined: May 13, 2015
Location: Melbourne, Australia

Re: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

I have come across a different but related issue in attempting to install Python libraries (most recently ftputil and imageio) in my efforts to become familiar with Python in developing scripts for my Indigo installations

Using pip I get the dreaded

Code: Select all
There was a problem confirming the ssl certificate: [SSL: TLSV1_ALERT_PROTOCOL_VERSION]

Of course all four Macs that I have access to are on Sierra and below :cry:

I have seen reference to using Curl to install Python packages, but as a noobie I am not familiar with this process. Can anyone offer me a "Dummy's Guide" to this process, or better still a simpler workaround?

Thanks in anticipation!

mclass

Posted on
Mon Jul 09, 2018 5:35 am
DaveL17 offline
User avatar
Posts: 4245
Joined: Aug 20, 2013

Re: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

Yes, older versions of pip will no longer work because of outdated security. I haven't gotten around to figuring out the fix for this.

+1 on the workaround if anyone has one.

I came here to drink milk and kick ass....and I've just finished my milk.

[My Plugins] - [My Forums]

Posted on
Mon Jul 09, 2018 6:00 am
FlyingDiver offline
Posts: 2562
Joined: Jun 07, 2014
Location: Cape Coral, FL

Re: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

You need to manually upgrade pip. This should work:

Code: Select all
curl https://bootstrap.pypa.io/get-pip.py | sudo python

joe (aka FlyingDiver)
my plugins: http://forums.indigodomo.com/viewforum.php?f=177

Posted on
Mon Jul 09, 2018 6:09 am
DaveL17 offline
User avatar
Posts: 4245
Joined: Aug 20, 2013

Re: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

Thanks Joe - that worked.

Cheers!

I came here to drink milk and kick ass....and I've just finished my milk.

[My Plugins] - [My Forums]

Posted on
Mon Jul 09, 2018 8:06 pm
mclass offline
Posts: 160
Joined: May 13, 2015
Location: Melbourne, Australia

Re: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

Thanks Joe! Worked on all my machines.

Now back to learning Python :lol:

mclass

Page 1 of 1

Who is online

Users browsing this forum: No registered users and 1 guest