Page MenuHomePhabricator

SSL CERTIFICATE_VERIFY_FAILED on generating family file
Closed, InvalidPublic

Description

Tested with the latest github build. SSL CERTIFICATE_VERIFY_FAILED for https://dnd-wiki.org/wiki/Main_Page (which does have a valid SSL certificate):

$ python3 generate_family_file.py https://dnd-wiki.org/wiki/Main_Page dndwiki
Generating family file from https://dnd-wiki.org/wiki/Main_Page
Traceback (most recent call last):
  File "generate_family_file.py", line 226, in <module>
    FamilyFileGenerator(*sys.argv[1:]).run()
  File "generate_family_file.py", line 48, in run
    w = Wiki(self.base_url)
  File "/home/user/dndwiki/core/pywikibot/site_detect.py", line 58, in __init__
    r = fetch(fromurl)
  File "/home/user/dndwiki/core/pywikibot/comms/http.py", line 530, in fetch
    error_handling_callback(request)
  File "/home/user/dndwiki/core/pywikibot/comms/http.py", line 411, in error_handling_callback
    raise FatalServerError(str(request.data))
pywikibot.exceptions.FatalServerError: HTTPSConnectionPool(host='dnd-wiki.org', port=443): Max retries exceeded with url: /wiki/Main_Page (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1051)')))
<class 'pywikibot.exceptions.FatalServerError'>
CRITICAL: Closing network session.
$ python3 pwb.py version.py
Pywikibot: [https] r-p-pywikibot-core (3dbd82c, g10483, 2018/12/10, 11:41:03, ok)
Release version: 3.1.dev0
requests version: 2.20.0
  cacerts: /etc/pki/tls/certs/ca-bundle.crt
    certificate test: ok
Python: 3.7.1 (default, Nov 23 2018, 10:01:49) 
[GCC 8.2.1 20181105 (Red Hat 8.2.1-5)]
PYWIKIBOT_DIR: Not set
PYWIKIBOT_DIR_PWB: 
PYWIKIBOT_NO_USER_CONFIG: 2
Config base dir: /home/user/dndwiki/core

Having a play in the meantime to just disable the HTTPS verification, but still frustratin' :(

Event Timeline

SgtLion created this task.Dec 12 2018, 8:22 PM
Restricted Application added a project: Traffic. · View Herald TranscriptDec 12 2018, 8:22 PM
Restricted Application added subscribers: pywikibot-bugs-list, Aklapper. · View Herald Transcript
SgtLion updated the task description. (Show Details)Dec 12 2018, 8:24 PM
Restricted Application added a project: Operations. · View Herald TranscriptDec 12 2018, 8:24 PM
SgtLion updated the task description. (Show Details)Dec 12 2018, 8:25 PM
BBlack added a subscriber: BBlack.

Tag edit because all of those are specific to WMF Ops and this ticket isn't!

Mpaa added a subscriber: Mpaa.Dec 12 2018, 9:11 PM

I don't think it is a pywikibot issue.

Krenair added a subscriber: Krenair.EditedDec 12 2018, 10:29 PM

Yeah it seems to be a problem with the configuration of that web server. It looks like dnd-wiki.org is configured to send its own cert but not the cert that issued it. It's issued by RapidSSL RSA CA 2018: https://knowledge.digicert.com/solution/SO29689.html
I think browsers are forgiving about servers omitting intermediate CA certs that they've seen in the past. Other TLS code is not.

I suppose that makes sense; No surprise if this turns out to not be worth addressing, then~

Mpaa removed a subscriber: pywikibot-bugs-list.
Aklapper closed this task as Invalid.Dec 16 2018, 6:16 PM

Problem cannot be solved in Wikimedia code but only in webserver configuration, hence closing task