1204160 – Python SSL verification failure on F22

Bug 1204160 - Python SSL verification failure on F22

Summary: Python SSL verification failure on F22

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	koji
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Mike McLean
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-03-20 13:49 UTC by Haïkel Guémar
Modified:	2016-07-19 13:06 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-19 13:06:59 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Haïkel Guémar 2015-03-20 13:49:55 UTC

Description of problem: since upgrading to F22, all python code checking SSL certificate fails. 
I can't even submit non-scratch builds to koji using the current F22 build.


Version-Release number of selected component (if applicable):
2.7.9-5.fc22

How reproducible:
always

Steps to Reproduce:
1.koji build <target> <srpm>
2.
3.

Actual results:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)


Expected results:
Koji build submission succeeded !


Additional info:
ugly workaround is downgrading to F21 build
dnf --releasever=21 downgrade python{,-{libs,devel}} tkinter

Comment 1 Robert Kuska 2015-03-23 10:14:13 UTC

As of 2.7.9 Python verifies certificates by default -> it's not a bug it's a feature. 

It's up to koji to reflect this change in their code.

Comment 2 Robert Kuska 2015-03-23 10:19:15 UTC

(Switching to koji - I am willing to help if needed)

Comment 3 Dennis Gilmore 2015-03-23 19:52:42 UTC

we would need more info. I do not see any failures here.

Comment 4 Dennis Gilmore 2015-03-23 19:53:24 UTC

[dennis@anubis ~]$ rpm -q koji python
koji-1.9.0-10.fc22.gitcd45e886.noarch
python-2.7.9-5.fc22.x86_64
[dennis@anubis ~]$ koji list-tasks --mine
(no tasks)

Comment 5 Dan Horák 2015-03-30 10:34:20 UTC

I cna see the problem with a script from rel-eng repo, but not with koji cli

[sharkcz@devel10 ~]$ ./koji-reimport-s390.py 
Parsing package jmol-14.2.12-2.2015.01.22.fc22
Traceback (most recent call last):
  File "./koji-reimport-s390.py", line 40, in <module>
    buildinfo = primary.getBuild(pkg)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1556, in __call__
    return self.__func(self.__name,args,opts)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1899, in _callMethod
    return self._sendCall(handler, headers, request)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1810, in _sendCall
    return self._sendOneCall(handler, headers, request)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1828, in _sendOneCall
    cnx.endheaders()
  File "/usr/lib64/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib64/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
[sharkcz@devel10 ~]$ koji moshimoshi
नमस्कार, sharkcz!

You are using the hub at http://koji.fedoraproject.org/kojihub
[sharkcz@devel10 ~]$ koji list-tasks --mine
ID       Pri  Owner                State    Arch       Name
9364361  20   sharkcz              OPEN     noarch     build (rawhide, ostree-2015.4-5.fc23.src.rpm)
9364362  19   sharkcz              OPEN     armhfp      +buildArch (ostree-2015.4-5.fc23.src.rpm, armv7hl)
9364363  19   sharkcz              OPEN     x86_64      +buildArch (ostree-2015.4-5.fc23.src.rpm, x86_64)
9364364  19   sharkcz              OPEN     i386        +buildArch (ostree-2015.4-5.fc23.src.rpm, i686)
[sharkcz@devel10 ~]$ rpm -q python koji
python-2.7.9-5.fc22.s390x
koji-1.9.0-10.fc22.gitcd45e886.noarch

Comment 6 Dan Horák 2015-03-30 10:39:59 UTC

and this change makes the problem go away, so it is related to access https koji url without logging in first

diff --git a/scripts/koji-reimport.py b/scripts/koji-reimport.py
index 477f105..8a58deb 100755
--- a/scripts/koji-reimport.py
+++ b/scripts/koji-reimport.py
@@ -30,6 +30,7 @@ primarykoji = 'https://koji.fedoraproject.org/kojihub'
 secondarykoji = 'https://ppc.koji.fedoraproject.org/kojihub' 
 primary = koji.ClientSession(primarykoji)
 secondary = koji.ClientSession(secondarykoji)
+primary.ssl_login(clientcrt, clientca, serverca)
 secondary.ssl_login(clientcrt, clientca, serverca) 
 
 # do the thing:

Comment 7 Sandro Bonazzola 2015-05-28 07:46:29 UTC

Adding Patch keyword, provided in comment #6

Comment 8 Sandro Bonazzola 2015-05-28 07:50:20 UTC

$ koji --debug list-targets
Traceback (most recent call last):
  File "/usr/bin/koji", line 6575, in <module>
    rv = locals()[command].__call__(options, session, args)
  File "/usr/bin/koji", line 3575, in anon_handle_list_targets
    activate_session(session)
  File "/usr/bin/koji", line 6545, in activate_session
    ensure_connection(session)
  File "/usr/bin/koji", line 305, in ensure_connection
    ret = session.getAPIVersion()
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1556, in __call__
    return self.__func(self.__name,args,opts)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1899, in _callMethod
    return self._sendCall(handler, headers, request)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1810, in _sendCall
    return self._sendOneCall(handler, headers, request)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1828, in _sendOneCall
    cnx.endheaders()
  File "/usr/lib64/python2.7/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 812, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/lib64/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Comment 9 Sandro Bonazzola 2015-05-28 07:51:25 UTC

$ rpm -qv koji
koji-1.9.0-15.fc22.noarch

Comment 10 Dennis Gilmore 2015-05-28 15:29:46 UTC

(In reply to Sandro Bonazzola from comment #9)
> $ rpm -qv koji
> koji-1.9.0-15.fc22.noarch

a koji build with that nvr does not exist in fedora. there is actually no patch in comment 6 at least not for koji

Comment 11 Fedora Admin XMLRPC Client 2016-03-10 14:45:12 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 12 Fedora End Of Life 2016-07-19 13:06:59 UTC

Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.