Skip to the navigation links
Last modified: 4 November 2020

URL: https://cxc.cfa.harvard.edu/ciao/bugs/python.html

Bugs: python


Bugs

Unable to locate SSL certificates

CIAO ships with a copy of the openSSL library. This is required to provide access to any encrypted website, ie https://. The library makes use of signed certificates on the users machine; however, the location of that certificate file is OS dependent -- different Linux distributions install the file in different locations.

Some users trying to access an encrypted URL may see an error message like

% python -c 'from urllib import request; request.urlopen("https://cxc.cfa.harvard.edu/ciao/");'
Traceback (most recent call last):
File "/home/user/ciao-4.13/ots/lib/python3.7/urllib/request.py", line 1254, in do_open
h.request(req.get_method(), req.selector, req.data, headers)
File "/home/user/ciao-4.13/ots/lib/python3.7/http/client.py", line 1107, in request
self._send_request(method, url, body, headers)
File "/home/user/ciao-4.13/ots/lib/python3.7/http/client.py", line 1152, in _send_request
self.endheaders(body) 
...
File "/home/user/ciao-4.13/ots/lib/python3.7/ssl.py", line 641, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:719)
...

Workaround:

Users can try setting the environment variables: SSL_CERT_FILE and|or SSL_CERT_DIR. These should point to the location of the cert.pm file on the system

bash$ export SSL_CERT_FILE=/etc/ssl/cert.pem 
bash$ export SSL_CERT_DIR=/etc/ssl/certs
 or
tcsh% setenv SSL_CERT_FILE /etc/ssl/cert.pem
tcsh% setenv SSL_CERT_DIR /etc/ssl/certs

If you are unsure where the certificate file is located then open a new terminal and try the following command.

$ python -c "import ssl; print(ssl.get_default_verify_paths())" 
DefaultVerifyPaths(cafile=None, capath=None,
openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/etc/pki/tls/cert.pem',
openssl_capath_env='SSL_CERT_DIR', openssl_capath='/etc/pki/tls/certs')

The SSL_CERT_FILE is the openssl_cafile_env and SSL_CERT_DIR is the openssl_capath_env.