Bug 1215141

Summary: nitrate tracebacks in F22 due to SSL certificate verification
Product: [Fedora] Fedora Reporter: Martin Kyral <mkyral>
Component: python-nitrateAssignee: Ondrej Hudlicky <ohudlick>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: azelinka, mcermak, ohudlick
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 13:51:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kyral 2015-04-24 12:05:47 UTC
Description of problem:
In F22 certificate verification has been turned on by default in python. python-nitrate doesn't handle it which leads to traceback.
Similar issue affects beaker-client: BZ#1212517

Version-Release number of selected component (if applicable):
python-nitrate-1.2-0.fc22

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:

$ python -c "import nitrate ; print nitrate.TestPlan(3783).name"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/nitrate/base.py", line 64, in getter
    self._fetch()
  File "/usr/lib/python2.7/site-packages/nitrate/mutable.py", line 272, in _fetch
    inject = self._server.TestPlan.get(self.id)
  File "/usr/lib/python2.7/site-packages/nitrate/base.py", line 205, in _server
    Config().nitrate.url).server
  File "/usr/lib/python2.7/site-packages/nitrate/xmlrpc.py", line 511, in __init__
    login_dict = self.do_command("Auth.login_krbv", [])
  File "/usr/lib/python2.7/site-packages/nitrate/xmlrpc.py", line 461, in do_command
    return eval(cmd)
  File "<string>", line 1, in <module>
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1591, in __request
    verbose=self.__verbose
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib/python2.7/site-packages/nitrate/xmlrpc.py", line 150, in single_request_with_cookies
    self.send_content(h,request_body)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1448, in send_content
    connection.endheaders(request_body)
  File "/usr/lib64/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib64/python2.7/ssl.py", line 567, in __init__
    self.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 789, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)


Expected results:

$ python -c "import nitrate ; print nitrate.TestPlan(3783).name"
BaseOS / Components / Apps

Additional info:

There's simple but nasty workaround: turn off the certificate checking in /usr/lib64/python2.7/ssl.py, line 472 - change the default context as follows:
_create_default_https_context = _create_unverified_context
However, this workaroun won't survive python-libs update.

Comment 1 Martin Cermak 2016-01-12 11:09:13 UTC
This works the issue around in my scripts:
https://bugzilla.redhat.com/attachment.cgi?id=1075613&action=diff

Comment 2 Martin Cermak 2016-01-12 11:11:31 UTC
Related: bz1204160, bz1231616.

Comment 3 Ales Zelinka 2016-02-17 15:21:49 UTC
ping? this also affects F23.

Comment 5 Fedora End Of Life 2016-07-19 13:51:35 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.