Skip to the navigation links
Last modified: 9 December 2019

URL: https://cxc.cfa.harvard.edu/ciao/bugs/python.html

Bugs: python


Bugs

Unable to locate SSL certificates

CIAO ships with a copy of the openSSL library. This is required to provide access to any encrypted website, ie https://. The library makes use of signed certificates on the users machine; however, the location of that certificate file is OS dependent -- different Linux distributions install the file in different locations.

Some users trying to access an encrypted URL may see an error message like

% python -c 'from urllib import request; request.urlopen("https://cxc.cfa.harvard.edu/ciao/");'
Traceback (most recent call last):
File "/home/user/ciao-4.12/ots/lib/python3.5/urllib/request.py", line 1254, in do_open
h.request(req.get_method(), req.selector, req.data, headers)
File "/home/user/ciao-4.12/ots/lib/python3.5/http/client.py", line 1107, in request
self._send_request(method, url, body, headers)
File "/home/user/ciao-4.12/ots/lib/python3.5/http/client.py", line 1152, in _send_request
self.endheaders(body) 
...
File "/home/user/ciao-4.12/ots/lib/python3.5/ssl.py", line 641, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:719)
...

Workaround:

Users can try setting the environment variables: SSL_CERT_FILE and|or SSL_CERT_DIR. These should point to the location of the cert.pm file on the system

bash$ export SSL_CERT_FILE=/etc/ssl/cert.pem 
bash$ export SSL_CERT_DIR=/etc/ssl/certs
 or
tcsh% setenv SSL_CERT_FILE /etc/ssl/cert.pem
tcsh% setenv SSL_CERT_DIR /etc/ssl/certs

If you are unsure where the certificate file is located then open a new terminal and try the following command.

$ python -c "import ssl; print(ssl.get_default_verify_paths())" 
DefaultVerifyPaths(cafile=None, capath=None,
openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/etc/pki/tls/cert.pem',
openssl_capath_env='SSL_CERT_DIR', openssl_capath='/etc/pki/tls/certs')

The SSL_CERT_FILE is the openssl_cafile_env and SSL_CERT_DIR is the openssl_capath_env.


Bugs fixed in CIAO 4.12

The following is a list of bugs that were fixed in the CIAO 4.12 software release.

Missing SSL support in some Python installations of CIAO 4.11 (11 May 2018)

Some builds of CIAO 4.11 have a Python installation that does not support SSL connections. This affects the El Capitan and Sierra builds for macOS, and may also happen for Linux builds (if the system OpenSSL installation conflicts with that used to build CIAO). A simple check is to see if the following command succeeds (there is no output), or errors out:

% python -c 'import ssl;'

The lack of SSL support is not a problem for running CIAO tools and packages, but is a problem when trying to interact from Python with a web site (or system) that is accessed via a https URL. This is most-often seen when trying to use pip to install a Python package into the CIAO environment, or accessing data from a web service that is provided at a https URL, resulting in an error message like

URLError: <urlopen error unknown url type: https>

At present the simplest solution is to use a command-line tool like curl or wget to access the resource.