Solved: Re: SSL error while trying to connect to splunk we...

sawgata12345 · ‎01-11-2018

HI,
I have installed splunk on CENTOS-7. splunk is opening in web and able to login and do other stuff. But while trying to connect via python sdk its showing the following error in the first line itself-

service = client.connect(host="localhost",port=8089,username="admin",password="changeme")

Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python2.7/site-packages/splunk_sdk-1.6.2-py2.7.egg/splunklib/client.py", line 321, in connect
s.login()
File "/usr/lib/python2.7/site-packages/splunk_sdk-1.6.2-py2.7.egg/splunklib/binding.py", line 857, in login
cookie="1") # In Splunk 6.2+, passing "cookie=1" will return the "set-cookie" header
File "/usr/lib/python2.7/site-packages/splunk_sdk-1.6.2-py2.7.egg/splunklib/binding.py", line 1201, in post
return self.request(url, message)
File "/usr/lib/python2.7/site-packages/splunk_sdk-1.6.2-py2.7.egg/splunklib/binding.py", line 1218, in request
response = self.handler(url, message, **kwargs)
File "/usr/lib/python2.7/site-packages/splunk_sdk-1.6.2-py2.7.egg/splunklib/binding.py", line 1357, in request
connection.request(method, path, body, head)
File "/usr/lib64/python2.7/httplib.py", line 1017, in request
self.send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 826, in send
self.connect()
File "/usr/lib64/python2.7/httplib.py", line 1236, in connect
server_hostname=sni_hostname)
File "/usr/lib64/python2.7/ssl.py", line 350, in wrap_socket
_context=self)
File "/usr/lib64/python2.7/ssl.py", line 611, in __init_
self.do_handshake()
File "/usr/lib64/python2.7/ssl.py", line 833, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

muralikoppula · ‎01-11-2018

@sawgata12345 If you are facing issues with Python SSL certificate verification failures (urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed ) when connecting to a HTTPS server which presents a certificate issued by an unknown CA then here is the info for controlling and troubleshooting certificate verification.

The Python packages with PEP 476 and PEP 493 support as shipped with Red Hat products allow system administrators to set whether certification verification should be enabled or disabled by default via an INI-style configuration file: /etc/python/cert-verification.cfg. In this configuration file, the default for HTTP clients in the Python standard library is set using the verify option in the [https] section. The section may look like this:

[https]
verify=enable

Valid values are enable (verification is enabled by default), disable (verification is disabled by default), and platform_default (use the platform specific default hard-coded in the ssl module). Users are encouraged to test their applications with enable and only use disable if verification causes problems in their environments, and only until those problem can be resolved (e.g. by ensuring that the certificate authority (CA) used by their systems is configured as trusted, or by modifying applications that should continue running with verification disabled). When the platform_default value is used, the actual default may change as additional Python packages updates with different hard-coded default are released in the future.

View solution in original post

rafajot · ‎12-10-2019

This has already been suggested in a comment by @bmacias84 but I think it deserves separate answer.
Assuming fixing certificate issue is not an option:

import ssl

_create_unverified_https_context = ssl._create_unverified_context
ssl._create_default_https_context = _create_unverified_https_context
service = client.connect(...)

mhergh · ‎11-04-2019

For me it the following solved the problem (assuming $SPLUNK_HOME == '/opt/splunk'):

export LD_LIBRARY_PATH=/opt/splunk/lib
/opt/splunk/bin/splunk cmd python
import ssl
Ctrl-D

The part with cmd python I saw it sowewhere here in the forum.

bmacias84 · ‎01-11-2018

This error is caused by using the Splunk Default Cert or a Self Signed cert. If you use a valid cert this error will go way. You can get around this by setting context=ssl._create_unverified_context() for httplib, but i don't know if the SDK support this arg.

sawgata12345 · ‎01-11-2018

Hi,
I used ubuntu14 to install splunk and the python sdk in the same machine then I am not facing this issue(Here default certificate itself worked). This happened in production enviroment with CentOS7.

I am not directly using httplib, its all wrapped in by pythonsdk for splunk in the below command itself
service = client.connect(host="localhost",port=8089,username="admin",password="changeme")
this command gives a service object via which we can create more objects and get results from splunk.

Python version installed in the VM is 2.7.5.

bmacias84 · ‎01-12-2018

It doesnt matter if you are not using the httplib as the Splunk SDK uses it. What version of python is the Centos-7? There where some big changes to the default behavior of SSL within Python. Starting in Python 2.7.9 certificates are verified by default in httplib. https://hg.python.org/cpython/raw-file/v2.7.9/Misc/NEWS
http://legacy.python.org/dev/peps/pep-0476/

sawgata12345 · ‎01-15-2018

Hi
thanks
yes it was python version issue. with the higher version of python 2.7.10 solved the SSL issue.

muralikoppula · ‎01-11-2018

@sawgata12345 If you are facing issues with Python SSL certificate verification failures (urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed ) when connecting to a HTTPS server which presents a certificate issued by an unknown CA then here is the info for controlling and troubleshooting certificate verification.

The Python packages with PEP 476 and PEP 493 support as shipped with Red Hat products allow system administrators to set whether certification verification should be enabled or disabled by default via an INI-style configuration file: /etc/python/cert-verification.cfg. In this configuration file, the default for HTTP clients in the Python standard library is set using the verify option in the [https] section. The section may look like this:

[https]
verify=enable

Valid values are enable (verification is enabled by default), disable (verification is disabled by default), and platform_default (use the platform specific default hard-coded in the ssl module). Users are encouraged to test their applications with enable and only use disable if verification causes problems in their environments, and only until those problem can be resolved (e.g. by ensuring that the certificate authority (CA) used by their systems is configured as trusted, or by modifying applications that should continue running with verification disabled). When the platform_default value is used, the actual default may change as additional Python packages updates with different hard-coded default are released in the future.

micahkemp · ‎01-12-2018

I just ran into this issue and this also corrected the behavior.

haktor5 · ‎04-17-2019

Thanks for this answer!!!

Setting verify=disable solved my issue.

ctxrag · ‎03-28-2018

@muralikoppula how to do this on windows python setup?

I am getting this:
File "C:\Python27\Lib\ssl.py", line 840, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

SSL error while trying to connect to splunk web from python in CentOS-7

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM