Description of problem: This KB article describes what updates have been released for Python so it can verify HTTPS connections: https://access.redhat.com/articles/2039753 It also shows a simple test script and env variable/config file to enable/disable HTTPS cert verification. This fails for me. Version-Release number of selected component (if applicable): rh-python36-2.0-1.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Create the script from the article: $ cat ssl-test #!/usr/bin/env python try: import urllib2 #python2 except: import urllib.request as urllib2 #python3 import sys req = urllib2.Request(sys.argv[1], headers={'User-Agent':'Mozilla/5.0'}) urllib2.urlopen(req) [senko@aero Kiwi]$ cat ssl-test #!/usr/bin/env python try: import urllib2 #python2 except: import urllib.request as urllib2 #python3 import sys req = urllib2.Request(sys.argv[1], headers={'User-Agent':'Mozilla/5.0'}) urllib2.urlopen(req) 2. Disable verification system wide for the python36 software collection: cat /opt/rh/rh-python36/root/etc/python/cert-verification.cfg [https] verify=disable 3. execute the test script $ scl enable rh-python36 /bin/bash $ $ PYTHONHTTPSVERIFY=0 python ssl-test https://cdn.redhat.com Traceback (most recent call last): File "/opt/rh/rh-python36/root/usr/lib64/python3.6/urllib/request.py", line 1318, in do_open encode_chunked=req.has_header('Transfer-encoding')) File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 1239, in request self._send_request(method, url, body, headers, encode_chunked) File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 1285, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 1234, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 1026, in _send_output self.send(msg) File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 964, in send self.connect() File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 1400, in connect server_hostname=server_hostname) File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 407, in wrap_socket _context=self, _session=session) File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 814, in __init__ self.do_handshake() File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 1068, in do_handshake self._sslobj.do_handshake() File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 689, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "ssl-test", line 10, in <module> urllib2.urlopen(req) File "/opt/rh/rh-python36/root/usr/lib64/python3.6/urllib/request.py", line 223, in urlopen return opener.open(url, data, timeout) File "/opt/rh/rh-python36/root/usr/lib64/python3.6/urllib/request.py", line 526, in open response = self._open(req, data) File "/opt/rh/rh-python36/root/usr/lib64/python3.6/urllib/request.py", line 544, in _open '_open', req) File "/opt/rh/rh-python36/root/usr/lib64/python3.6/urllib/request.py", line 504, in _call_chain result = func(*args) File "/opt/rh/rh-python36/root/usr/lib64/python3.6/urllib/request.py", line 1361, in https_open context=self._context, check_hostname=self._check_hostname) File "/opt/rh/rh-python36/root/usr/lib64/python3.6/urllib/request.py", line 1320, in do_open raise URLError(err) urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)> Actual results: traceback, failure Expected results: According to the KBase article this should work. Additional info:
After update I have the following versions rpm -qa | grep rh-python rh-python36-python-pip-9.0.1-2.el7.noarch rh-python36-python-setuptools-36.5.0-1.el7.noarch rh-python36-2.0-1.el7.x86_64 rh-python36-python-3.6.3-3.el7.x86_64 rh-python36-python-libs-3.6.3-3.el7.x86_64 rh-python36-python-virtualenv-15.1.0-2.el7.noarch rh-python36-runtime-2.0-1.el7.x86_64 rh-python36-python-devel-3.6.3-3.el7.x86_64 The problem still persists.
Hello. This is actually intended and the configuration file is not supported for python 3+ From the KB article: The Python version used in the rh-python34 collection is based on upstream version 3.4.2. However, PEP 476 support was backported to this version and included since its first release via RHEA-2015:1058, released as part of the Red Hat Software Collections 2.0, with certificate verification enabled by default. It does not include any support for PEP 493 and therefore it is not possible to disable verification by default via the cert-verification.cfg The file was added on python2 for compatibility reasons, but on python3 we do not offer such an option.