Problem with URL/JSON HTTPS Data Source with custom certificate

Issue Summary

When trying to query HTTPS URL datasource (JSON API), the query is failing with error certificate verify failed.

The server this data source is connecting to is using custom SSL certificate. How can I add appropriate CA certificate as valid CA certificate for Redash query processing?

Technical details:

• Redash Version: 7.0.0+b18042
• OS: Docker on CentOS 7
• How did you install Redash: docker install script from CentOS 7 enabled setup.sh
• Error message (anonymized): Error running query: HTTPSConnectionPool(host=‘XXX’, port=443): Max retries exceeded with url: /api/v1/url:%20%22hardware%22%0Aparams:%0A%20%20Accept:%20application/json%0A%20%20Content-Type:%20application/json%0A%20%20Authorization:%20Bearer%20XXX (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,),))

To clarify, you are trying to pull data using Redash’s API?

It sounds like @Pajosh has a working Redash 7 instance, and is attempting to add a new URL data source.

The problem seems to be the HTTPS certificate for the new data source is self signed or otherwise not anchored to any of the global root CAs, so it’s failing HTTPS validation and Redash refuses to pull data from it.

If there’s a way to tell Redash’s TLS client to ignore HTTPS cert failures, that would fix the problem.

An alternative approach would be to add the server CA chain certificates to the docker container which the HTTPS connection is made from, so it knows how to validate the server.

I’m not sure how to do either just yet. The first option is Redash specific, the 2nd might be doable by adding the certificates to the appropriate area under /etc/pki/ in the correct docker container.

Yes, @justinclift is correct, I am trying to query external JSON datasource using “URL” data source type. My data source is using certificate signed with internal CA. I tried to add the appropriate CA certificate to all runtime containers (nginx, server, …) and ran the “update-ca-certificates” script inside containers and on host also, but with no effect. Any help?

Not sure yet.

Trying to figure it out from a logical perspective… the TLS connection done by Redash, since it’s written in Python, is probably using some Python connection library. Maybe even just the “requests” library?

Ahhh. Looking at requirements.txt in the GitHub repo, it does list requests. It also lists PyOpenSSL.

Those are probably the probably the things to investigate, to figure out where they load their certificate storage from.

Looking through the PyOpenSSL source code, docs, and examples… it seems to just use whatever the system provided OpenSSL gives it. Useful to know, but doesn’t really give extra info.

The key will probably turn out to be installing the appropriate CA certificate in the right place. I was thinking somewhere inside the /etc/pki/ directories before, but that’s probably just a CentOS thing.

Whatever the Docker images use… it’ll probably be the same place the other system certificates are in. It just depends on what the base OS image is the Docker builds are using.

It’s not something I want to put more time into atm (need sleep soon personally). But if you do some digging (maybe here?), you’ll probably figure it out. Hopefully.