Versions Compared

Old Version 2

changes.mady.by.user Unknown User (uscs)

Saved on

compared with

New Version 3

changes.mady.by.user Unknown User (uscs)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Problem

WARNING: httplib2.URLError received None <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

Solution

The problem may be that the SSL library used in this Python version doesn't look in the correct certificate path.

  • Try from another environment.
  • Check which version of Python you are using and how it was installed and linked to openssl.
  • Check that ca-certificates are updated on your system. Important, the client, openssl on most systems, maintains a set of trusted root CAs that are used to validate the chain (intermediate cert > server cert) on a ssl connection, so they must be updated on the client.
    • Update OpenSSL, ca-certificates and Python.
    • The following are some references on how to update the ca-certificates package:
No Format
Mac OS X
    sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/new-root-certificate.crt
    # Do not update OpenSSL through Homebrew, see https://stackoverflow.com/questions/15185661/update-openssl-on-os-x-with-homebrew
 
Windows
    # Type mmc.exe on search bar of the windows menu
    # Go to File > Add / Remove Snap In > Select Certificates > Click Add > Click OK
    # Expand Certificates - Current User
    # Right Click on Trusted Root Certification Authorities > All Tasks > Import
    # Follow the steps
 
    # alternatively
    certutil -addstore -f "ROOT" new-root-certificate.crt
 
Linux (Ubuntu, Debian)
    apt install ca-certificates
    # Copy your CA to dir /usr/local/share/ca-certificates/
    sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
    sudo update-ca-certificates
 
Linux (CentOs 6)
    yum install ca-certificates
    #Enable the dynamic CA configuration feature:
    update-ca-trust force-enable
 
    #Add it as a new file to /etc/pki/ca-trust/source/anchors/:
    cp foo.crt /etc/pki/ca-trust/source/anchors/
 
    update-ca-trust extract
 
Linux (CentOs 5)
    #Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt
    cat foo.crt >> /etc/pki/tls/certs/ca-bundle.crt
 
Anaconda
    conda update openssl
    • In case you need to add a specific Root Certificate, run the following command (The browser can be used to get the same information, if not on a *nix system, on view certificate):
No Format
user@local:~> openssl s_client -connect api.ecmwf.int:443                                                                                 
CONNECTED(00000003)
depth=2 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
...

Here we can see QuoVadis Root CA 2 G3 is the Root CA for api.ecmwf.int and can be downloaded from https://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL.aspx and installed locally (as per the commands specified above on the specific OS).

If you have the SSL error in the last step of your request (Transferring from...), you need to install the Root CA for "stream.ecmwf.int": QuoVadis Global SSL ICA G2

  • The following is an hack for cases when updates are not possible for whatever reason:

    • Disable SSL Verification, this can be achieved by setting CURL_CA_BUNDLE="" before calling the python api:
      • CURL_CA_BUNDLE="" python main.py
    • Specify the Root CA directly, this can be achieved by setting REQUESTS_CA_BUNDLE="path to ROOT ca QuoVadis Root CA 2 G3" downloaded from the Quovadis Website (that your system cannot find somehow):
      • REQUESTS_CA_BUNDLE="/path_to_cert/QuoVadis_Root_CA_2_G3.pem" python main.py

Content by Label
showLabelsfalse
max5
spacesUDOC
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ("ssl","troubleshooting","certificate","webapi-faqs") and type = "page" and space = "UDOC"
labelswebapi-faqs troubleshooting certificate ssl


Page properties
hiddentrue


Related issues