Bug 1204160

Summary: Python SSL verification failure on F22
Product: [Fedora] Fedora Reporter: Haïkel Guémar <karlthered>
Component: kojiAssignee: Mike McLean <mikem>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: bkabrda, contribs, dan, dennis, dmalcolm, ivazqueznet, jberan, jonathansteffan, mikem, ncoghlan, sbonazzo, tomspur, tradej
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 13:06:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Haïkel Guémar 2015-03-20 13:49:55 UTC 
Description of problem: since upgrading to F22, all python code checking SSL certificate fails. 
I can't even submit non-scratch builds to koji using the current F22 build.


Version-Release number of selected component (if applicable):
2.7.9-5.fc22

How reproducible:
always

Steps to Reproduce:
1.koji build <target> <srpm>
2.
3.

Actual results:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)


Expected results:
Koji build submission succeeded !


Additional info:
ugly workaround is downgrading to F21 build
dnf --releasever=21 downgrade python{,-{libs,devel}} tkinter
Comment 1 Robert Kuska 2015-03-23 10:14:13 UTC 
As of 2.7.9 Python verifies certificates by default -> it's not a bug it's a feature. 

It's up to koji to reflect this change in their code.
Comment 2 Robert Kuska 2015-03-23 10:19:15 UTC 
(Switching to koji - I am willing to help if needed)
Comment 3 Dennis Gilmore 2015-03-23 19:52:42 UTC 
we would need more info. I do not see any failures here.
Comment 4 Dennis Gilmore 2015-03-23 19:53:24 UTC 
[dennis@anubis ~]$ rpm -q koji python
koji-1.9.0-10.fc22.gitcd45e886.noarch
python-2.7.9-5.fc22.x86_64
[dennis@anubis ~]$ koji list-tasks --mine
(no tasks)
Comment 5 Dan Horák 2015-03-30 10:34:20 UTC 
I cna see the problem with a script from rel-eng repo, but not with koji cli

[sharkcz@devel10 ~]$ ./koji-reimport-s390.py 
Parsing package jmol-14.2.12-2.2015.01.22.fc22
Traceback (most recent call last):
  File "./koji-reimport-s390.py", line 40, in <module>
    buildinfo = primary.getBuild(pkg)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1556, in __call__
    return self.__func(self.__name,args,opts)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1899, in _callMethod
    return self._sendCall(handler, headers, request)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1810, in _sendCall
    return self._sendOneCall(handler, headers, request)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1828, in _sendOneCall
    cnx.endheaders()
  File "/usr/lib64/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib64/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
[sharkcz@devel10 ~]$ koji moshimoshi
नमस्कार, sharkcz!

You are using the hub at http://koji.fedoraproject.org/kojihub
[sharkcz@devel10 ~]$ koji list-tasks --mine
ID       Pri  Owner                State    Arch       Name
9364361  20   sharkcz              OPEN     noarch     build (rawhide, ostree-2015.4-5.fc23.src.rpm)
9364362  19   sharkcz              OPEN     armhfp      +buildArch (ostree-2015.4-5.fc23.src.rpm, armv7hl)
9364363  19   sharkcz              OPEN     x86_64      +buildArch (ostree-2015.4-5.fc23.src.rpm, x86_64)
9364364  19   sharkcz              OPEN     i386        +buildArch (ostree-2015.4-5.fc23.src.rpm, i686)
[sharkcz@devel10 ~]$ rpm -q python koji
python-2.7.9-5.fc22.s390x
koji-1.9.0-10.fc22.gitcd45e886.noarch
Comment 6 Dan Horák 2015-03-30 10:39:59 UTC 
and this change makes the problem go away, so it is related to access https koji url without logging in first

diff --git a/scripts/koji-reimport.py b/scripts/koji-reimport.py
index 477f105..8a58deb 100755
--- a/scripts/koji-reimport.py
+++ b/scripts/koji-reimport.py
@@ -30,6 +30,7 @@ primarykoji = 'https://koji.fedoraproject.org/kojihub'
 secondarykoji = 'https://ppc.koji.fedoraproject.org/kojihub' 
 primary = koji.ClientSession(primarykoji)
 secondary = koji.ClientSession(secondarykoji)
+primary.ssl_login(clientcrt, clientca, serverca)
 secondary.ssl_login(clientcrt, clientca, serverca) 
 
 # do the thing:
Comment 7 Sandro Bonazzola 2015-05-28 07:46:29 UTC 
Adding Patch keyword, provided in comment #6
Comment 8 Sandro Bonazzola 2015-05-28 07:50:20 UTC 
$ koji --debug list-targets
Traceback (most recent call last):
  File "/usr/bin/koji", line 6575, in <module>
    rv = locals()[command].__call__(options, session, args)
  File "/usr/bin/koji", line 3575, in anon_handle_list_targets
    activate_session(session)
  File "/usr/bin/koji", line 6545, in activate_session
    ensure_connection(session)
  File "/usr/bin/koji", line 305, in ensure_connection
    ret = session.getAPIVersion()
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1556, in __call__
    return self.__func(self.__name,args,opts)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1899, in _callMethod
    return self._sendCall(handler, headers, request)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1810, in _sendCall
    return self._sendOneCall(handler, headers, request)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1828, in _sendOneCall
    cnx.endheaders()
  File "/usr/lib64/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib64/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
Comment 9 Sandro Bonazzola 2015-05-28 07:51:25 UTC 
$ rpm -qv koji
koji-1.9.0-15.fc22.noarch
Comment 10 Dennis Gilmore 2015-05-28 15:29:46 UTC 
(In reply to Sandro Bonazzola from comment #9)
> $ rpm -qv koji
> koji-1.9.0-15.fc22.noarch

a koji build with that nvr does not exist in fedora. there is actually no patch in comment 6 at least not for koji
Comment 11 Fedora Admin XMLRPC Client 2016-03-10 14:45:12 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 12 Fedora End Of Life 2016-07-19 13:06:59 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.