Python 2.7.9 checks https certificates by default
https://docs.python.org/2.7/whatsnew/2.7.html#pep-476-enabling-certificate-verification-by-default-for-stdlib-http-clients
and https://setup.myharmony.com currently fails because its certificate logs have not been published.
http://www.certificate-transparency.org/what-is-ct
(show by opening in Google Chrome)
Patch attached that disables the certificate check.
N.B. This patch will only work with Python 2.7.9 or greater.
urllib2.urlopen(url[, data[, timeout[, cafile[, capath[, cadefault[, context]]]]]
Changed in version 2.7.9: cafile, capath, cadefault, and context were added.
https://docs.python.org/2/library/urllib2.html#module-urllib2
Thanks for the report. I'm not seeing any issue on Fedora Rawhide w/ Python 2.7.9, though. I'm wondering if they disabled the certificate check? What distro are you using?
I'm using Gentoo.
My problem. It occurs with their certificate collection:
app-misc/ca-certificates-20141019.3.17.4
Going back to:
app-misc/ca-certificates-20140927.3.17.2
and it works fine. Please close.
I want to look into this a little more before closing. I tried on Debian Unstable, which also has ca-certificates-20141019 and Python 2.7.9, but there was no problem there either. It looks like some Thawte certificates got removed in 20141019, so maybe that's what caused the problem.
Maybe as described here:
https://bugs.gentoo.org/show_bug.cgi?id=544276
I have openssl-1.0.1l
I'm confused. On Debian Unstable (w/ openssl 1.0.2a, ca-certificates 20141019, and python 2.7.9), openssl seems to complain but connects anyway:
openssl s_client -connect setup.myharmony.com:443
...
Verify return code: 20 (unable to get local issuer certificate)
Python seems happy:
talbert@debian-unstable:~/git-congruity$ python
Python 2.7.9 (default, Apr 29 2015, 18:34:06)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
What errors do openssl and python show on Gentoo with 20141019 certificates?
Description of how the Gentoo certifcates are created from Debian ones:
https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-misc/ca-certificates/ca-certificates-20141019.3.17.4.ebuild?revision=1.1&view=markup#l5
I created my own package, app-misc/ca-certificates-20141019, which uses the Debian certificates unmodified and works fine.
Results below all with dev-libs/openssl-1.0.1l-r1
and ca.py:
app-misc/ca-certificates-20140927.3.17.2
openssl s_client -connect setup.myharmony.com:443
CONNECTED(00000003)
depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, OU = Certification Services Division, CN = Thawte Premium Server CA, emailAddress = premium-server@thawte.com
verify return:1
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify return:1
depth=1 C = US, O = "Thawte, Inc.", CN = Thawte SSL CA
verify return:1
depth=0 C = US, ST = California, L = Newark, O = Logitech Inc., OU = IDC, CN = *.myharmony.com
verify return:1
Certificate chain
0 s:/C=US/ST=California/L=Newark/O=Logitech Inc./OU=IDC/CN=*.myharmony.com
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
...
Verify return code: 0 (ok)
$ ./ca.py
[No Output]
app-misc/ca-certificates-20141019.3.17.4
$ openssl s_client -connect setup.myharmony.com:443
CONNECTED(00000003)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate chain
0 s:/C=US/ST=California/L=Newark/O=Logitech Inc./OU=IDC/CN=*.myharmony.com
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
...
Verify return code: 20 (unable to get local issuer certificate)
$ ./ca.py
...
urllib2.URLError: <urlopen error="" <span="">[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>
app-misc/ca-certificates-20141019
$ openssl s_client -connect setup.myharmony.com:443
CONNECTED(00000003)
depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, OU = Certification Services Division, CN = Thawte Premium Server CA, emailAddress = premium-server@thawte.com
verify return:1
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify return:1
depth=1 C = US, O = "Thawte, Inc.", CN = Thawte SSL CA
verify return:1
depth=0 C = US, ST = California, L = Newark, O = Logitech Inc., OU = IDC, CN = *.myharmony.com
verify return:1
Certificate chain
0 s:/C=US/ST=California/L=Newark/O=Logitech Inc./OU=IDC/CN=*.myharmony.com
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
...
Verify return code: 0 (ok)
$ ./ca.py
[No Output]
Have you run into any more SSL problems with setup.myharmony.com? Is there anything we need to do here?
All seems to be fine now, even with ca-certificates-20141019.3.17.4:
this is now openssl-1.0.2e
OK, closing the issue. Happy New Year!