Bug 1231616

Summary: [abrt] koji: ssl.py:808:do_handshake:SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
Product: [Fedora] Fedora Reporter: Sandro Bonazzola <sbonazzo>
Component: kojiAssignee: Mike McLean <mikem>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: dennis, fabian.arrotin, hguemar, hhorak, mikem
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/f9b46f655789a64ce54a401fbcabdee53ab12282
Whiteboard: abrt_hash:36f35da304805620d59249aea51d399b55536111
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 14:50:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: environ
none
Workaround to make koji client working against CBS instance when using python >= 2.7.9 none

Description Sandro Bonazzola 2015-06-15 05:35:43 UTC 
Description of problem:
koji -d list-tagged on cbs.centos.org using https

Version-Release number of selected component:
koji-1.9.0-15.fc22

Additional info:
reporter:       libreport-2.5.1
cmdline:        /usr/bin/python /usr/bin/koji -d list-tagged virt7-kvm-common-testing
dso_list:       python-libs-2.7.10-1.fc22.x86_64
executable:     /usr/bin/koji
kernel:         4.0.4-303.fc22.x86_64
runlevel:       N 5
type:           Python
uid:            20528

Truncated backtrace:
ssl.py:808:do_handshake:SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

Traceback (most recent call last):
  File "/usr/bin/koji", line 6575, in <module>
    rv = locals()[command].__call__(options, session, args)
  File "/usr/bin/koji", line 2620, in anon_handle_list_tagged
    activate_session(session)
  File "/usr/bin/koji", line 6545, in activate_session
    ensure_connection(session)
  File "/usr/bin/koji", line 305, in ensure_connection
    ret = session.getAPIVersion()
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1556, in __call__
    return self.__func(self.__name,args,opts)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1899, in _callMethod
    return self._sendCall(handler, headers, request)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1810, in _sendCall
    return self._sendOneCall(handler, headers, request)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1828, in _sendOneCall
    cnx.endheaders()
  File "/usr/lib64/python2.7/httplib.py", line 1049, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 893, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 855, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1274, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 352, in wrap_socket
    _context=self)
  File "/usr/lib64/python2.7/ssl.py", line 579, in __init__
    self.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 808, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

Local variables in innermost frame:
self: <ssl.SSLSocket object at 0x7f8d41203230>
block: False
timeout: 43200.0
Comment 1 Sandro Bonazzola 2015-06-15 05:35:47 UTC 
Created attachment 1038769 [details]
File: backtrace
Comment 2 Sandro Bonazzola 2015-06-15 05:35:49 UTC 
Created attachment 1038770 [details]
File: environ
Comment 3 hguemar 2015-09-21 22:08:24 UTC 
I think this issue is related to python.
If downgrade to F21 python package (2.7.8), it does not fail on F22 and F23.
Comment 4 hguemar 2015-09-21 22:35:31 UTC 
Created attachment 1075613 [details]
Workaround to make koji client working against CBS instance when using python >= 2.7.9

Needs CBS admin input, I don't get why the same koji client works fine with Fedora Koji instance and not CBS. This could a configuration issue.
Comment 5 Honza Horak 2015-10-01 19:07:06 UTC 
The workaround works for me as well.
Comment 6 Fabian Arrotin 2015-10-02 05:55:23 UTC 
Just to add that the current certificate presented by that koji instance doesn't seem to be the right one : it's CN is actually "kojihub" which isn't correct and so doesn't match with hostname cbs.centos.org, reason why python complains (and for a good reason)
Just to verify : can someone update is local resolver ( /etc/hosts is fine) with 66.187.224.194	kojihub
and then ~/.koji/config with kojihub instead of cbs.centos.org and verify that "koji moshimoshi" then works fine without that patch ?
Comment 7 Honza Horak 2015-10-02 06:48:16 UTC 
Well, when I try the "koji moshimoshi", I get correct output even without changing the host. What doesn't work for me is for example "koji list-targets".

So, I've added "66.187.224.194 kojihub" into /etc/hosts and used the following values in the koji config:

  server = https://kojihub/kojihub/
  weburl = https://kojihub/koji
  topurl = https://kojihub/kojifiles

But I still get the same output for both "koji moshimoshi" (works) and "koji list-targets", which prints:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
Comment 8 Fabian Arrotin 2015-10-02 07:03:03 UTC 
Just worth noting that the distributed/given config has http://cbs.centos.org/{kojihub,koji,kojifiles} and not https.
I know it can be confusing, as we give a http url, but then koji switches to TLS for cert validation. 
Just curious, why have you updated your config to not be the same given by the guy maintaining that koji environment ? Can you give it a try please ?

Also worth noting that we'll also change all the current Koji TLS cert validation once we'll migrate to FAS (and it's now ready) so all those bad certs will go away (as it's true that there is still an misconfiguration issue at the cbs/koji level)
Comment 9 Fedora Admin XMLRPC Client 2016-03-10 14:45:02 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 10 Fedora End Of Life 2016-07-19 14:50:12 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.