Security

SSL error while trying to connect to splunk web from python in CentOS-7

Path Finder

HI,
I have installed splunk on CENTOS-7. splunk is opening in web and able to login and do other stuff. But while trying to connect via python sdk its showing the following error in the first line itself-

service = client.connect(host="localhost",port=8089,username="admin",password="changeme")

Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python2.7/site-packages/splunk_sdk-1.6.2-py2.7.egg/splunklib/client.py", line 321, in connect
s.login()
File "/usr/lib/python2.7/site-packages/splunk_sdk-1.6.2-py2.7.egg/splunklib/binding.py", line 857, in login
cookie="1") # In Splunk 6.2+, passing "cookie=1" will return the "set-cookie" header
File "/usr/lib/python2.7/site-packages/splunk_sdk-1.6.2-py2.7.egg/splunklib/binding.py", line 1201, in post
return self.request(url, message)
File "/usr/lib/python2.7/site-packages/splunk_sdk-1.6.2-py2.7.egg/splunklib/binding.py", line 1218, in request
response = self.handler(url, message, **kwargs)
File "/usr/lib/python2.7/site-packages/splunk_sdk-1.6.2-py2.7.egg/splunklib/binding.py", line 1357, in request
connection.request(method, path, body, head)
File "/usr/lib64/python2.7/httplib.py", line 1017, in request
self.send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 826, in send
self.connect()
File "/usr/lib64/python2.7/httplib.py", line 1236, in connect
server_hostname=sni_hostname)
File "/usr/lib64/python2.7/ssl.py", line 350, in wrap_socket
_context=self)
File "/usr/lib64/python2.7/ssl.py", line 611, in __init
_
self.do_handshake()
File "/usr/lib64/python2.7/ssl.py", line 833, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

Tags (3)
1 Solution

Communicator

@sawgata12345 If you are facing issues with Python SSL certificate verification failures (urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed ) when connecting to a HTTPS server which presents a certificate issued by an unknown CA then here is the info for controlling and troubleshooting certificate verification.

The Python packages with PEP 476 and PEP 493 support as shipped with Red Hat products allow system administrators to set whether certification verification should be enabled or disabled by default via an INI-style configuration file: /etc/python/cert-verification.cfg. In this configuration file, the default for HTTP clients in the Python standard library is set using the verify option in the [https] section. The section may look like this:

[https]
verify=enable

Valid values are enable (verification is enabled by default), disable (verification is disabled by default), and platform_default (use the platform specific default hard-coded in the ssl module). Users are encouraged to test their applications with enable and only use disable if verification causes problems in their environments, and only until those problem can be resolved (e.g. by ensuring that the certificate authority (CA) used by their systems is configured as trusted, or by modifying applications that should continue running with verification disabled). When the platform_default value is used, the actual default may change as additional Python packages updates with different hard-coded default are released in the future.

View solution in original post

Explorer

This has already been suggested in a comment by @bmacias84 but I think it deserves separate answer.
Assuming fixing certificate issue is not an option:

import ssl

_create_unverified_https_context = ssl._create_unverified_context
ssl._create_default_https_context = _create_unverified_https_context
service = client.connect(...)
0 Karma

Explorer

For me it the following solved the problem (assuming $SPLUNK_HOME == '/opt/splunk'):

  1. export LD_LIBRARY_PATH=/opt/splunk/lib

  2. /opt/splunk/bin/splunk cmd python

  3. import ssl

  4. Ctrl-D

The part with cmd python I saw it sowewhere here in the forum.

0 Karma

Champion

This error is caused by using the Splunk Default Cert or a Self Signed cert. If you use a valid cert this error will go way. You can get around this by setting context=ssl._create_unverified_context() for httplib, but i don't know if the SDK support this arg.

0 Karma

Path Finder

Hi,
I used ubuntu14 to install splunk and the python sdk in the same machine then I am not facing this issue(Here default certificate itself worked). This happened in production enviroment with CentOS7.

I am not directly using httplib, its all wrapped in by pythonsdk for splunk in the below command itself
service = client.connect(host="localhost",port=8089,username="admin",password="changeme")
this command gives a service object via which we can create more objects and get results from splunk.

Python version installed in the VM is 2.7.5.

0 Karma

Champion

It doesnt matter if you are not using the httplib as the Splunk SDK uses it. What version of python is the Centos-7? There where some big changes to the default behavior of SSL within Python. Starting in Python 2.7.9 certificates are verified by default in httplib. https://hg.python.org/cpython/raw-file/v2.7.9/Misc/NEWS
http://legacy.python.org/dev/peps/pep-0476/

0 Karma

Path Finder

Hi
thanks
yes it was python version issue. with the higher version of python 2.7.10 solved the SSL issue.

0 Karma

Communicator

@sawgata12345 If you are facing issues with Python SSL certificate verification failures (urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed ) when connecting to a HTTPS server which presents a certificate issued by an unknown CA then here is the info for controlling and troubleshooting certificate verification.

The Python packages with PEP 476 and PEP 493 support as shipped with Red Hat products allow system administrators to set whether certification verification should be enabled or disabled by default via an INI-style configuration file: /etc/python/cert-verification.cfg. In this configuration file, the default for HTTP clients in the Python standard library is set using the verify option in the [https] section. The section may look like this:

[https]
verify=enable

Valid values are enable (verification is enabled by default), disable (verification is disabled by default), and platform_default (use the platform specific default hard-coded in the ssl module). Users are encouraged to test their applications with enable and only use disable if verification causes problems in their environments, and only until those problem can be resolved (e.g. by ensuring that the certificate authority (CA) used by their systems is configured as trusted, or by modifying applications that should continue running with verification disabled). When the platform_default value is used, the actual default may change as additional Python packages updates with different hard-coded default are released in the future.

View solution in original post

Champion

I just ran into this issue and this also corrected the behavior.

0 Karma

Explorer

Thanks for this answer!!!

Setting verify=disable solved my issue.

0 Karma

Explorer

@muralikoppula how to do this on windows python setup?

I am getting this:
File "C:\Python27\Lib\ssl.py", line 840, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!