topic Re: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106) in All Apps and Add-ons

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)

clemes — Fri, 09 Aug 2024 05:39:55 GMT

Hello,

Can anyone help me in getting this error resolved ?

2024-08-09 10:50:00,282 DEBUG pid=8956 tid=MainThread file=connectionpool.py:_new_conn:1007 | Starting new HTTPS connection (5): cisco-managed-ap-northeast-2.s3.ap-northeast-2.amazonaws.com:443
2024-08-09 10:50:00,312 DEBUG pid=8956 tid=MainThread file=endpoint.py:_do_get_response:205 | Exception received when sending HTTP request.
Traceback (most recent call last):
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/connectionpool.py", line 710, in urlopen
chunked=chunked,
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/connectionpool.py", line 386, in _make_request
self._validate_conn(conn)
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/connectionpool.py", line 1042, in _validate_conn
conn.connect()
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/connection.py", line 429, in connect
tls_in_tls=tls_in_tls,
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/util/ssl_.py", line 450, in ssl_wrap_socket
sock, context, tls_in_tls, server_hostname=server_hostname
File "/splb001/splunk_fw_teams/etc/apps/TA-cisco-cloud-security-umbrella-addon/bin/ta_cisco_cloud_security_umbrella_addon/aob_py3/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/splb001/splunk_fw_teams/lib/python3.7/ssl.py", line 423, in wrap_socket
session=session
File "/splb001/splunk_fw_teams/lib/python3.7/ssl.py", line 870, in _create
self.do_handshake()
File "/splb001/splunk_fw_teams/lib/python3.7/ssl.py", line 1139, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)

Re: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)

PickleRick — Fri, 09 Aug 2024 12:45:05 GMT

Are you trying to set it up in Cloud or on-prem? (the section of Answers where you posted it suggests Cloud but it's better to be sure).

Re: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)

clemes — Tue, 13 Aug 2024 00:11:11 GMT

On-prem

Re: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)

kiran_panchavat — Wed, 14 Aug 2024 17:11:30 GMT

This indicates that the SSL certificate is either missing from the certificate store or has expired in the add-on. Additionally, if the server is configured to use a self-signed or third-party certificate, it may not be included in the certificate store used by the add-on.

Re: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)

clemes — Wed, 14 Aug 2024 17:23:54 GMT

Hello,

Thank you for the response

I had taken captues, there's only 2 lines followed by an ACK and a FIN, ACK:

TLSv1.2 Client Hello
TLSv1.2 Server Hello, Certificate, Server Key Exchange, Server Hello Done
TCP [ACK]
TCP [FIN, ACK]

I understood the issue is with Client certificate. Can you kindly help me answer the below:
Where do I find the certificates that is used by TA-cisco-cloud-security-umbrella-addon in Splunk ? What is the path/location of the certificate store used by the TA-cisco-cloud-security-umbrella-addon ?

Re: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)

PickleRick — Thu, 15 Aug 2024 08:09:23 GMT

No. It's not about the client certificate. I understand that the FIN/ACK packet comes from your end of the connection. And the message clearly indicates that it's the server's certificate which is not trusted.

I asked about on-prev vs. cloud earlier because the additional question with an on-prem installation is whether you are using any TLS-inspection tools in your network. Either as an explicit proxy or as pass-through appliance. Anyway, first thing I'd try would be to simply openssl s_client to that Cisco service and make sure what the cert looks like before you start looking for local trusted cert store.

Re: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)

Meett — Mon, 02 Sep 2024 06:39:24 GMT

Can you try to add SSL CA Chain to below location and see if it works?

1) /opt/splunk/lib/python3.7/site-packages/certifi And 2) /etc/apps/<Add-on_folder>/lib/certify