openssl certificate verify failling when running through systemd

Question

I have a python program that uses the aws iot sdk to connect to mqtt. The programs runs, and works without problems when I run it from the CLI. But when I try to run it from systemd as a service, it doesn't work... And I don't know why. I found these 2 references below about the problem, but it seems like none of them fixes my problem.

reference 1 reference 2

I receive an error message like this:

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)

UPDATE: this is my current service file

[Unit] 
Description=GreenRpi

[Service]
User=pi
Group=pi
#PIDFile=/tmp/greenrpiofficial-99.pid
WorkingDirectory=/home/pi/experiments/GreenRpi/
ExecStart=/home/pi/experiments/GreenRpi/.venv/bin/python main.py somearg
Restart=always 
RestartSec=30

[Install] 
WantedBy=multi-user.target

You appear to be running in virtual environment, but just pointing to the python executable without running the setup is probably not going to do what you think it does... — hardillb, May 09 '21 at 19:07
@hardillb I had an equal approach running correctly in another raspberry pi. Unfortunately I don't have that pi at the moment to make a contrast. — aang, May 09 '21 at 19:21
@hardillb I noticed that the problem is not related to systemd but to running the program as sudo. If I try to run the in sudo su, it gives the same error.. any idea? — aang, May 09 '21 at 19:24

score 0 · Answer 1 · answered May 07 '21 at 23:16

You didn't provide your service file. By default processes run as root when started via systemd, see [1]

User=, Group=

Set the UNIX user or group that the processes are executed as, respectively. Takes a single user or group name, or a numeric ID as argument. For system services (services run by the system service manager, i.e. managed by PID 1) and for user services of the root user (services managed by root's instance of systemd --user), the default is "root", but User= may be used to specify a different user.

When the certificiate is only available to current user you should run your service as the same user with

[Service]
User=<your desired username>

Also the working directory is different. This is not covered in your first link. This can be set via WorkingDirectory=

[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html

I also verified that the cert files have pi as the user and group:( — aang, May 08 '21 at 03:42
Edit your original question to add the service file, never try and add code like content as a comment — hardillb, May 08 '21 at 06:26

openssl certificate verify failling when running through systemd

1 Answers1