kubernetes python3.5 SSLError(“bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)”,)

2
votes

I followed the examples:

from kubernetes import client, config

config.load_kube_config()

v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
ret = v1.list_pod_for_all_namespaces(watch=False)
for i in ret.items:
    print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))

But always got this error:

2018-08-28 23:03:48,818 WARNING Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),)': /api/v1/pods?watch=False

...ommit some retry logs

Traceback (most recent call last):
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/contrib/pyopenssl.py", line 444, in wrap_socket
    cnx.do_handshake()
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/OpenSSL/SSL.py", line 1907, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/OpenSSL/SSL.py", line 1639, in _raise_ssl_error
    _raise_current_error()
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/connectionpool.py", line 343, in _make_request
    self._validate_conn(conn)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/connectionpool.py", line 849, in _validate_conn
    conn.connect()
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/connection.py", line 356, in connect
    ssl_context=context)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/util/ssl_.py", line 372, in ssl_wrap_socket
    return context.wrap_socket(sock)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/contrib/pyopenssl.py", line 450, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/kubernetes/client/apis/core_v1_api.py", line 13608, in list_pod_for_all_namespaces
    (data) = self.list_pod_for_all_namespaces_with_http_info(**kwargs)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/kubernetes/client/apis/core_v1_api.py", line 13705, in list_pod_for_all_namespaces_with_http_info
    collection_formats=collection_formats)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/kubernetes/client/api_client.py", line 321, in call_api
    _return_http_data_only, collection_formats, _preload_content, _request_timeout)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/kubernetes/client/api_client.py", line 155, in __call_api
    _request_timeout=_request_timeout)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/kubernetes/client/api_client.py", line 342, in request
    headers=headers)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/kubernetes/client/rest.py", line 231, in GET
    query_params=query_params)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/kubernetes/client/rest.py", line 205, in request
    headers=headers)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/request.py", line 68, in request
    **urlopen_kw)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/request.py", line 89, in request_encode_url
    return self.urlopen(method, url, **extra_kw)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/poolmanager.py", line 322, in urlopen
    response = conn.urlopen(method, u.request_uri, **kw)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/connectionpool.py", line 667, in urlopen
    **response_kw)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/connectionpool.py", line 638, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/util/retry.py", line 398, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='xx.xx.xx.xx', port=xxxx): Max retries exceeded with url: /api/v1/pods?watch=False (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

Mac OSX 10.13.6

kubectl version

Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.2", GitCommit:"bb9ffb1654d4a729bb4cec18ff088eacc153c239", GitTreeState:"clean", BuildDate:"2018-08-08T16:31:10Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"darwin/amd64"}

Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.4", GitCommit:"5ca598b4ba5abb89bb773071ce452e33fb66339d", GitTreeState:"clean", BuildDate:"2018-06-06T08:00:59Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

pip list

|Package | Version|

|certifi | 2018.8.24|

|kubernetes | 7.0.0|

......ommit other dependencies

P.S. I tried the solution here: http://www.cdotson.com/2017/01/sslerror-with-python-3-6-x-on-macos-sierra/. But without luck.

1
macoskubernetespython-3.5
What is the output of python -c "import ssl; print ssl.OPENSSL_VERSION"?l'L'l
@l'L'l OpenSSL 1.0.2p 14 Aug 2018Max Peng
That version should be fine; It looks like you need to include verify=false for whatever reason (apparently to disregard the SSL verification). If that doesn't work then maybe changing configuration.py might do the trick even though you've set verify=false (github.com/kubernetes-client/python/issues/…). I think that setting any of this though would defeat the purpose of using an SSL.l'L'l
It did the trick. But I wonder any better suggestions?Max Peng
The better suggestion would be to figure out why it won't accept/verify the SSL certificate. You could check the cert inside Keychain.app and make sure it's set to allow, another thing which might be possible is to import the certificate directly from your script and verify it there (I did something similar except with urllib3) when I had an almost identical problem as this.l'L'l

1 Answers

0
votes

This appears to be an issue with the client script not being able to find/accept/verify the cert. Setting the location of the cert is likely the most viable method of resolution directly from the script:

from kubernetes import client
from kubernetes.client import Configuration, ApiClient

config = Configuration()
config.api_key = {'authorization': 'Bearer <api_key>'}
config.host = 'https://my-kubernetes-cluster'
config.ssl_ca_cert = "/path/to/ca_chain.crt"

api_client = ApiClient(configuration=config)
v1 = client.CoreV1Api(api_client)

v1.list_pod_for_all_namespaces(watch=False)

You could also set this up directly in .kube/config:

apiVersion: v1
clusters:
- cluster:
    api-version: v1
    certificate-authority: /path/to/ca_chain.crt
    server: "https://my-kubernetes-cluster"
    ...

The last option is to skip verification ( not recommend because it defeats the purpose of SSL ):

v1 = client.CoreV1Api()
v1.api_client.configuration.verify_ssl = False

More Information:

https://github.com/kubernetes-client/python/issues/521

How to specify a CA bundle in kubernetes python client