0

I am having certificate error in python code as below run in docker container laudio/pyodbc

  File "/usr/local/lib/python3.7/site-packages/fredapi/fred.py", line 131, in get_series
    root = self.__fetch_data(url)
  File "/usr/local/lib/python3.7/site-packages/fredapi/fred.py", line 64, in __fetch_data
    response = urlopen(url)
  File "/usr/local/lib/python3.7/urllib/request.py", line 222, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/local/lib/python3.7/urllib/request.py", line 525, in open
    response = self._open(req, data)
  File "/usr/local/lib/python3.7/urllib/request.py", line 543, in _open
    '_open', req)
  File "/usr/local/lib/python3.7/urllib/request.py", line 503, in _call_chain
    result = func(*args)
  File "/usr/local/lib/python3.7/urllib/request.py", line 1362, in https_open
    context=self._context, check_hostname=self._check_hostname)
  File "/usr/local/lib/python3.7/urllib/request.py", line 1321, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)>

my certificates are up to date 

root@8a03fe8175b7:/# pip install --upgrade certifi
Requirement already up-to-date: certifi in /usr/local/lib/python3.7/site-packages (2020.4.5.1)

I have also tried to use no_ssl_verification solution that didn't help.

Also, this file is empty, does this mean anything? On my host machine it is full

root@2927b5836cfa:/# ls -alt /etc/ssl/certs/ca-certificates.crt 
-rw-r--r-- 1 root root 0 May 23 20:14 /etc/ssl/certs/ca-certificates.crt

Further info from the python shell in container, I don't know if that helps. But there is no /export directory in the container:

print(ssl.get_default_verify_paths())

DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/export/home/pb2/build/sb_0-35870562-1568195162.53/openssl-1.1.1d-el6-x86-64bit/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/export/home/pb2/build/sb_0-35870562-1568195162.53/openssl-1.1.1d-el6-x86-64bit/ssl/certs')

Can you please provide me some ideas to fix this issue?

adam
  • 655
  • 1
  • 10
  • 31
  • Have you tried `verify=False`? – jizhihaoSAMA May 23 '20 at 16:04
  • I am running these in docker container. It all works in the host Linux machine condo Linux installation. The call the request doesn't have `verify=False` as it is in package fredapi – adam May 23 '20 at 20:42
  • do I need to add ca-certificates on my own in docker machine – adam May 23 '20 at 20:45
  • I might have a solution; I got the file from here https://curl.haxx.se/ca/cacert.pem. then gone into docker container and set environment variables SSL_CERT_DIR and SSL_CERT_FILE to point path and name of this file. That seems to do the trick for python. I am not sure why though. The idea for the certificate download came from https://stackoverflow.com/questions/39356413/how-to-add-a-custom-ca-root-certificate-to-the-ca-store-used-by-pip-in-windows – adam May 23 '20 at 21:33
  • Probably Python is using the system's built-in root certificates by default, and one of those certificates is supposed to be able to verify the URL that it's hitting, but maybe that particular certificate expired or something. When you downloaded that file, you got a more up-to-date set of root certificates which probably includes a newer "version" of the certificate that expired, and then setting the environment variables told Python to use that newer certificate instead of the default one. – David Z Aug 09 '20 at 06:13
  • Also would you consider turning your comment into an answer? I'd probably upvote it... – David Z Aug 09 '20 at 06:21
  • Thanks to @adam I was able to fix this error with just `export SSL_CERT_FILE=/etc/ssl/cert/ca-certificates.crt`. No idea why that's needed, since it's just pointing to the standard default location. – GaryO Aug 14 '20 at 13:51

1 Answers1

0

If you don't have ca-certificates installed in your docker container(i.e. check if /etc/ssl/certs directory exists with various certificates in it), please install them first.

Adding the following line into the dockerfile fixes the issue.

RUN apt-get update && \
    apt-get install ca-certificates -y && \
    apt-get clean
Nilesh Vijayrania
  • 71
  • 4
  • Great answer. Also, "Official Debian and Ubuntu images automatically run apt-get clean, so explicit invocation is not required." -Docker Docs – j7skov Jan 17 '23 at 17:32