After form-source installation of Python2.7.9 I get ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Question

I am using CentOS 6.6. and therefore I don't have newest (2.7 series) packages for Python which I need. I have installed Python 2.7.9 from source to /usr/local/lib/python2.7 :

ll /usr/local/lib/python2.7/
total 52K
drwxr-xr-x. 2 root root 4.0K Jan 13 14:59 bin
drwxr-xr-x. 3 root root 4.0K Jan  7 15:15 include
drwxr-xr-x. 4 root root 4.0K Jan  7 15:15 lib
-rw-r--r--. 1 root root  12K Jan 14 11:46 LICENSE.txt
-rw-r--r--. 1 root root  117 Jan 14 11:46 MANIFEST.in
-rw-r--r--. 1 root root  238 Jan 14 11:46 NOTICE.txt
-rw-r--r--. 1 root root   88 Jan 14 11:46 setup.cfg
-rw-r--r--. 1 root root 2.6K Jan 14 11:46 setup.py
drwxr-xr-x. 3 root root 4.0K Jan  7 15:15 share
drwxr-xr-x. 6 root root 4.0K Jan  7 15:03 site-packages
-rw-r--r--. 1 root root  113 Jan 14 11:46 tox.ini

Now I have a script using pysphere and it used to work ok (and it works ok on other machines with 2.6 and 2.7) but when I ran it with my current setup I get this:

$ python main.py
Connecting to vSphere...
Traceback (most recent call last):
  File "main.py", line 51, in <module>
    server.connect(VSPHERE_IP, VSPHERE_USER, VSPHERE_PASS)
  File "/usr/local/lib/python2.7/lib/python2.7/site-packages/pysphere/vi_server.py", line 101, in connect
    request)._returnval
  File "/usr/local/lib/python2.7/lib/python2.7/site-packages/pysphere/resources/VimService_services.py", line 2170, in RetrieveServiceContent
    self.binding.Send(None, None, request, soapaction="urn:vim25/5.0", **kw)
  File "/usr/local/lib/python2.7/lib/python2.7/site-packages/pysphere/ZSI/client.py", line 295, in Send
    self.local.h.connect()
  File "/usr/local/lib/python2.7/lib/python2.7/httplib.py", line 1212, in connect
    server_hostname=server_hostname)
  File "/usr/local/lib/python2.7/lib/python2.7/ssl.py", line 350, in wrap_socket
    _context=self)
  File "/usr/local/lib/python2.7/lib/python2.7/ssl.py", line 566, in __init__
    self.do_handshake()
  File "/usr/local/lib/python2.7/lib/python2.7/ssl.py", line 788, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

$ pip -V
pip 6.0.6 from /usr/local/lib/python2.7/lib/python2.7/site-packages (python 2.7)
$ pip freeze
Django==1.7.2
docutils==0.12
ecdsa==0.11
paramiko==1.15.2
pep8==1.5.7
pycrypto==2.6.1
Pygments==2.0.1
pysphere==0.1.7
pyvmomi==5.5.0.2014.1.1
requests==2.5.1
six==1.9.0
virtualenv==12.0.5

What is broken here ?

Answer 1

I'm a couple of years late to the party, but I just ran into this problem myself, and found a solution. I'm leaving a comment should anyone in the future stumble across this thread.

The reason why this is happening (which was Patryk's question), is that Python's httplib.HTTPSConnection previously did not validate SSL certificates by default. From Python 2.7.9 onwards, SSL validation is required. If your ESX server has some problem with its SSL certificate, the connection will fail.

Unfortunately the pysphere library is no longer maintained.

Assuming that you are trying to use the pysphere library in a private and secure environment, you may apply the following patch to the pysphere/ZSI/client.py file:

294c294,295
<         self.local.h = transport(netloc, None, **self.transdict)
---
>         import ssl
>         self.local.h = transport(netloc, None, context=ssl._create_unverified_context(), **self.transdict)

Explanation: The pysphere library uses httplib.HTTPSConnection to establish a connection to the ESX server. If it encounters an SSL certificate problem, it fails with the abovementioned exception. To reinstate the behaviour prior to Python 2.7.9, you need to tell httplib.HTTPSConnection to not validate the SSL certificate.