Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Certificate failed to verify - error on "login to OpenStreetMap" click #976

Open
james2432 opened this issue Feb 21, 2017 · 8 comments
Open

SSL Certificate failed to verify - error on "login to OpenStreetMap" click #976

james2432 opened this issue Feb 21, 2017 · 8 comments

Comments

@james2432
Copy link

The code doesn't seem to like the certificate on osm.org, but I've checked it against my server machine and have been getting valid certificates.

Just when python tries to connect I'll get:

2017-02-21 11:07:40,047 http://tasks.osmcanada.ca/login?came_from=http%3A%2F%2Ftasks.osmcanada.ca%2F
Traceback (most recent call last):
  File "/srv/osmtm/osm-tasking-manager2/env/local/lib/python2.7/site-packages/pyramid_exclog/__init__.py", line 111, in exclog_tween
    return handler(request)
  File "/srv/osmtm/osm-tasking-manager2/env/local/lib/python2.7/site-packages/pyramid_tm/__init__.py", line 109, in tm_tween
    reraise(*exc_info)
  File "/srv/osmtm/osm-tasking-manager2/env/local/lib/python2.7/site-packages/pyramid_tm/__init__.py", line 88, in tm_tween
    response = handler(request)
  File "/srv/osmtm/osm-tasking-manager2/env/local/lib/python2.7/site-packages/pyramid/router.py", line 145, in handle_request
    view_name
  File "/srv/osmtm/osm-tasking-manager2/env/local/lib/python2.7/site-packages/pyramid/view.py", line 527, in _call_view
    response = view_callable(context, request)
  File "/srv/osmtm/osm-tasking-manager2/env/local/lib/python2.7/site-packages/pyramid/config/views.py", line 384, in viewresult_to_response
    result = view(context, request)
  File "/srv/osmtm/osm-tasking-manager2/env/local/lib/python2.7/site-packages/pyramid/config/views.py", line 506, in _requestonly_view
    response = view(request)
  File "/srv/osmtm/osm-tasking-manager2/osmtm/views/osmauth.py", line 46, in login
    resp, content = client.request(url, "GET")
  File "/srv/osmtm/osm-tasking-manager2/env/local/lib/python2.7/site-packages/oauth2/__init__.py", line 687, in request
    connection_type=connection_type)
  File "/srv/osmtm/osm-tasking-manager2/env/local/lib/python2.7/site-packages/httplib2/__init__.py", line 1609, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "/srv/osmtm/osm-tasking-manager2/env/local/lib/python2.7/site-packages/httplib2/__init__.py", line 1351, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "/srv/osmtm/osm-tasking-manager2/env/local/lib/python2.7/site-packages/httplib2/__init__.py", line 1272, in _conn_request
    conn.connect()
  File "/srv/osmtm/osm-tasking-manager2/env/local/lib/python2.7/site-packages/httplib2/__init__.py", line 1059, in connect
    raise SSLHandshakeError(e)
SSLHandshakeError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

My current versions are(in virtual env):

env/bin/python -V
Python 2.7.12

OpenSSL 1.0.2g  1 Mar 2016

openssl s_client -showcerts -connect www.openstreetmap.org:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.openstreetmap.org
verify return:1
---
Certificate chain
 0 s:/CN=www.openstreetmap.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIBAgISA6bDG4z6N9lmiHw2/g6/4xnoMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAyMTgxMDQ3MDBaFw0x
NzA1MTkxMDQ3MDBaMCAxHjAcBgNVBAMTFXd3dy5vcGVuc3RyZWV0bWFwLm9yZzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANPG3EdaWvoX+B40zHZFDoze
NdPR+ryy4Z/BA3H9qpHdKim3ArXicUhgFgBWCLs9jOJgRAjs4A8nsNnRc1F+C6rN
3/ui9udoAYVnrt9L8JU6GMFh4aRfA1cHe+VT97RYqbj2ygZpTKBKkdkpxJPp4aMa
eUPD229L9+6nfBAm+GkXYZE4GRQTZfT8FDZzA+kV+lqkMD8WO7cOt9OoTHrThGou
QKENcmtW56QxpgmILxcpH01Rta/vrmbuNrNMCxd13paDPj2wMPkn1lSpQmkMqcSj
s/jnXQDnq6O/VUKab9CFP3q8g0VFsN3uIW28+rBkJUtO2ONn3RfwHi8g0KRRYE8C
AwEAAaOCAmMwggJfMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU11K/GoFiQC+hbwoR
9nCa9cGTpmUwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYB
BQUHAQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZy8wbQYDVR0RBGYwZIIVYXBpLm9wZW5zdHJlZXRtYXAub3Jnggth
cGkub3NtLm9yZ4IRb3BlbnN0cmVldG1hcC5vcmeCB29zbS5vcmeCFXd3dy5vcGVu
c3RyZWV0bWFwLm9yZ4ILd3d3Lm9zbS5vcmcwgf4GA1UdIASB9jCB8zAIBgZngQwB
AgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxl
dHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRl
IG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQg
b25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBm
b3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkq
hkiG9w0BAQsFAAOCAQEAGXTa5xpsqkAO9fBwiJXRRyz0Az9jXrQ1KmI8eZc+3uy0
FTy9TGUqlTdoCIBJ7pMRB9Gg3imUxdfMX2fVzn25by2p12uuSypcCypyn4O1MaxG
o4ZhiIISduw/IvGCpXYGnaF4Q3OxoANANVXjkc0sqNanCGGBFJS2VNJWtzjIQQQk
AwR8Wox9dwo4vJdwzQJK11/TuHt41LbuwHFGPnr05Lna0hFXze0rk1O05fONbOwt
KvnFM0nSgBZGnPholbSH0bJOzPPSzfey/idQ5gQRL9CU0VXnQx/dfS+JcK0iIn/4
bRLSTiIK40NxEMWvinN+xAxHttNoD0Fj9Kud2wOUpQ==
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=www.openstreetmap.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3243 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 5D9AEBE46C1FA48F57ABC1B676C6A1C62B077277AF9CBE0EB3AFB214434828DE
    Session-ID-ctx:
    Master-Key: FEAC77127B383F94B016884DBA2BDB80DA00ABB7FB93D405CA8D839EE1F19EC0008C9C97E8C549C6AC1C4D5DA2A3F15A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 1c d8 73 c7 b4 2b 64 53-b9 62 9d f2 ca 22 ab a6   ..s..+dS.b..."..
    0010 - 66 3b c9 bd 8d cd 02 cb-6c 2f 17 61 a8 32 da ce   f;......l/.a.2..
    0020 - 3d ec 30 c3 f9 76 91 fc-24 5a df f0 d8 1e df d6   =.0..v..$Z......
    0030 - d4 da c9 fb d1 90 0d 6d-5f 4e c8 07 9f 99 02 1e   .......m_N......
    0040 - 9c 71 71 d0 08 62 ed 5a-da 82 df 24 37 d9 c8 2b   .qq..b.Z...$7..+
    0050 - 6f a8 92 dd d4 0d 52 6d-6a de 1f a7 02 d1 e6 97   o.....Rmj.......
    0060 - b5 bb 5f 9f a4 aa 17 f4-8f 19 4b 25 3e 45 e0 8a   .._.......K%>E..
    0070 - a9 7d 39 59 9a 5b 4a 82-da 4c 19 7a 25 d8 14 e6   .}9Y.[J..L.z%...
    0080 - 56 06 7e e5 c2 4e e9 b2-db 8d f0 6e 36 da 56 72   V.~..N.....n6.Vr
    0090 - f6 0d 4c a5 e8 fd e7 9b-61 77 80 9b 07 88 51 e6   ..L.....aw....Q.
    00a0 - 99 36 ce 19 19 6b c6 d0-c2 81 87 f1 1b f5 41 43   .6...k........AC
    00b0 - 4a a1 2f 75 46 50 c0 27-aa 11 c7 ec c3 8e 11 b2   J./uFP.'........

    Start Time: 1487694696
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
@bgirardot
Copy link
Contributor

We have been working this issue for the past few days. @ravilacoya pointed us to an osm-es email list entry and @ethan-nelson follow up with Alejandro from that list and they came up with the following fix for the typical TM2 install:

env/bin/pip install --upgrade httplib2
env/bin/pip install --upgrade urllib3[secure]

Please let us know if that works for you too.

@bgirardot bgirardot changed the title SSL Certificate failed to verify SSL Certificate failed to verify - error on "login to OpenStreetMap" click Feb 21, 2017
@james2432
Copy link
Author

running those seemed to have fix the issue! Yay! I was scratching my head for a good 2 hours. Maybe add the fix to the documentation

@DenisCarriere
Copy link

@bgirardot Awesome Blake! Thanks for the quick reply

@jbelien
Copy link
Contributor

jbelien commented Feb 28, 2017

Dear @bgirardot , OSMBE thanks you ! :D

@hpanno
Copy link

hpanno commented Mar 2, 2017

@bgirardot Super helpful!!! Thanks very much!

@jgrocha
Copy link

jgrocha commented Mar 3, 2017

Same problem with https://tasks.openstreetmap.pt.
I've ended up by running the two commands, but the problem was solved just by upgrading httplib2.
Thanks @bgirardot

@bgirardot
Copy link
Contributor

@jgrocha Very good to know. We were not actually sure which of the two commands fixed it as we ran them both and then had no easy way to test them individually anymore :) Thank you for the clarification!

@grinapo grinapo mentioned this issue Mar 7, 2017
Closed
@grinapo
Copy link

grinapo commented Mar 7, 2017

@bgirardot httplib2 definitely needs upgrade, so it's required.

@paregorios paregorios mentioned this issue May 16, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@jgrocha @bgirardot @james2432 @DenisCarriere @grinapo @jbelien @hpanno