Indigo Domotics

I've got a script that grabs a pic from a camera via ssh. Yesterday I upgraded the camera software and apparently it installed a new/different self-signed certificate too.

I've removed the old cert from the known-hosts, and signed back in to it manually to add the new cert. Not getting warnings at the command line now.

But when I run the script, I still get

Code: Select all

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)


Is this just some need to restart the server machine so Python reads known-hosts again, or is Python looking somewhere else? Something else?

What macOS version are you on? What python http library are you using to download the pict? This looks suspiciously like the TLS issue.

I'm on 10.12.6 and since I don't know what you mean by "which library" here's the whole script that causes the error, with URL details obscured.

Code: Select all

from PIL import Image
import math
import requests
from requests.auth import HTTPBasicAuth
import StringIO
pic_destination = "/Library/Application Support/Perceptive Automation/Indigo 7/IndigoWebServer/public/name.jpg"
reply = requests.get('http://192.168.999.999/cgi-bin/currentpic.cgi', auth=HTTPBasicAuth('user', 'pass'))
im = Image.open(StringIO.StringIO(reply.content))
width, height = im.size
im = im.resize((int(math.floor(width)), int(math.floor(height))), Image.ANTIALIAS)
im.save(pic_destination,optimize=True,quality=80)

So, you're using the requests library to do the http request and you're on Sierra, which has the old ssl implementation that doesn't support TLS 1+. If I had to guess, I'd say that when you updated the firmware in your camera it started requiring TLS 1+ which Apple's built-in Python doesn't support pre-High Sierra.

If that's truly the issue, you can work around it by using curl from a shell script to do the download rather than using the requests library (the curl command-line tool does support newer TLS). Or you can upgrade to High Sierra (which of course has it's own potential issues). This is truly a scenario where Apple is just one big bundle of FAIL.

Thanks for the explanations.

I'll poke at curl & see what works. Of course, that was what I started with, before I realized I could do it simpler in Python!

From my searching, seems like maybe I could use urllib instead of requests. Does that have the same TLS problem?

Of course, then I need to figure out how to do basic auth in urllib.

Looks like urllib does have the same TLS problem, as I was trying to make it work and got the same Python error.

Different Computers wrote:

Looks like urllib does have the same TLS problem, as I was trying to make it work and got the same Python error.

Correct. The issue is the SSL library that Apple compiled in with their Python installation up to Sierra only supports old TLS. In High Sierra, they compiled Python using a newer library that supports TLS 1+.

I have come across a different but related issue in attempting to install Python libraries (most recently ftputil and imageio) in my efforts to become familiar with Python in developing scripts for my Indigo installations

Using pip I get the dreaded

Code: Select all

There was a problem confirming the ssl certificate: [SSL: TLSV1_ALERT_PROTOCOL_VERSION]

Of course all four Macs that I have access to are on Sierra and below

I have seen reference to using Curl to install Python packages, but as a noobie I am not familiar with this process. Can anyone offer me a "Dummy's Guide" to this process, or better still a simpler workaround?

Thanks in anticipation!

mclass

Yes, older versions of pip will no longer work because of outdated security. I haven't gotten around to figuring out the fix for this.

+1 on the workaround if anyone has one.

You need to manually upgrade pip. This should work:

Code: Select all

curl https://bootstrap.pypa.io/get-pip.py | sudo python


Thanks Joe - that worked.

Cheers!

Thanks Joe! Worked on all my machines.

Now back to learning Python

mclass

Hi,

Old tread new/same problem.

Using requests in an embedded script on High Sierra, up until recently it worked great but now it throws:

Code: Select all

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)

I can run the same code from terminal (built in python) but not from Scripting shell.

What to do?

What version of Python are you getting in the scripting shell, and what version in Terminal?

It's possible the website you're connecting to has implemented an even stricter SSL check.