Json query 'certificate verify failed' on self signed certificate

michimau · October 29, 2021, 1:11pm

I need to query an internal api which uses a self signed certificate.

i bump into a:

Error running query: HTTPSConnectionPool(host='MYINTERNALHOST', port=443): Max retries exceeded with url: /ovirt-engine/api/vms (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))

the query looks like:

url: https://MYINTERNALHOST/ovirt-engine/api/vms
auth: [MYUSER, MYPASSWORD]
headers: [Accept: application/json]

Is there a was to force the library to trust the certificate (same behaviour as of “curl -k”)

justinclift · October 31, 2021, 8:19am

Although this doesn’t answer your question directly, if your internal host has a domain name in externally visible DNS (eg “something.com”, “something.io”, etc), then you could potentially generate a valid Lets Encrypt certificate for it using DNS based authentication.

That’s how it’s commonly done for servers which aren’t reachable from the outside world.

Can give you the exact certbot commands to run for generating the certificate, if that’d be useful. (?)

michimau · November 4, 2021, 9:41am

@justinclift thanks for your contribution. But i do not think it fits the bill in my case.

What I need is the merge of this pull request: Add verify option to JSON datasource runner to allow skipping certificate verification by kevinchiang · Pull Request #5212 · getredash/redash · GitHub

michimau · November 4, 2021, 10:12am

@jesse any plan to merge #5112 Add verify option to JSON datasource runner to allow skipping certificate verification by kevinchiang · Pull Request #5212 · getredash/redash · GitHub?

justinclift · November 4, 2021, 11:06am

Interesting. That looks like a straight forward PR that should be easy to merge.

However it looks like the automatic build which is supposed to run and test submitted PR’s instead hung, and never reported back a status.

@jesse Are you able to give the build there a kick or something to restart it?

kchiang · January 21, 2022, 6:19pm

Bump.

Hi @justinclift or @jesse, can we give the automated build a kick for this one as Justin suggested?

github.com/getredash/redash

Add verify option to JSON datasource runner to allow skipping certificate verification

getredash:master ← kevinchiang:master

opened 01:44AM - 15 Oct 20 UTC

kevinchiang

+1 -1

## What type of PR is this? (check all applicable) - [x] Feature ## Descri…ption Many internal endpoints are secured through SSL with an internal certificate authority. By adding the "verify" option to be passed through the request_options, we can allow the requests library to skip SSL certificate verification. ## Related Tickets & Documents ## Mobile & Desktop Screenshots/Recordings (if there are UI changes). <img width="197" alt="Screen Shot 2020-10-14 at 6 41 30 PM" src="https://user-images.githubusercontent.com/3395738/96065353-320e4a00-0e4d-11eb-8873-71e4c67b2a46.png">

jesse · January 21, 2022, 6:31pm

Thanks for pinging this! Since I don’t have permissions on your fork I can’t retrigger the actions run. Please run the following and push your changes to the PR branch:

git commit --allow-empty -m "trigger GitHub actions"
git push

jesse · January 21, 2022, 9:45pm

The fix has now been merged. Thank you again!