1

I am trying to connect to AWS Neptune using aiogremlin but keep getting SSL certificate errors. I tried using 3 different certificates downloaded from Amazon Trust Repository but none of them work. With AmazonRootCA1.pem and SFSRootCAG2.pem I keep getting File Not Found error and with SFSRootCAG2.cer I get ssl_context.load_cert_chain(ssl.SSLError: [SSL] PEM lib (_ssl.c:4046).

Here is the snippet which I am using to interact with Neptune.

import asyncio
from aiogremlin import DriverRemoteConnection, Graph
from .constants import NEPTUNE_ENDPOINT, CERT_DIR


async def go():
    remote_connection = await DriverRemoteConnection.open(f'https://{NEPTUNE_ENDPOINT}:8182/gremlin', 'g',
                                                          ssl_certfile=CERT_DIR+'SFSRootCAG2.cer')
    g = Graph().traversal().withRemote(remote_connection)
    vertices = await g.V().toList()
    await remote_connection.close()
    return vertices

print(asyncio.get_event_loop().run_until_complete(go()))

Having trouble figuring out if I am using the wrong certificate file or doing something else that is wrong.

shreyansh
  • 97
  • 8
  • Is there a reason why you need to inject the certs? Neptune's SSL certs are issued from a public CA. So long as your app has access to the Internet and this public CAs, your app should be able to verify the certs without providing a cert file. – Taylor Riggan Jul 14 '21 at 14:05
  • I am getting some the same `FileNotFound` error when not providing the cert. It is working without providing the cert with `gremlin-python`, but not with this client library, and I need async IO. – shreyansh Jul 14 '21 at 14:45
  • Aiogremlin hasn't been updated in over 3 years. What are you attempting to do with the asynchronous nature of your app? Is this to send multiple requests at once? There maybe another way of tackling this. Please provide more detail and I'll do my best to help. – Taylor Riggan Jul 14 '21 at 15:48
  • I have a FastAPI backend server with which I am trying to use Neptune. Although sync connections work, async would provide better performance. Was looking for an async python client for gremlin when I came across aiogremlin. – shreyansh Jul 14 '21 at 17:15
  • I don't think you're going to see a huge performance difference between sync vs async with Neptune. I notice that you're creating and closing a connection on each request. If you're looking for a performance boost, I would try establishing and re-using the same connection each time. Websocket connections in Python can be very slow (50-100ms in most cases). – Taylor Riggan Jul 14 '21 at 19:01
  • The snippet is just a sample, not actually using it in my application. – shreyansh Jul 14 '21 at 19:07

1 Answers1

2

I got that exact same error (down to the line 4046 in ssl.c) when I converted my keystore to pem file without the certificate section.

I converted it over again without the '-nocerts' flag and the I got both section in the file like this:

Bag Attributes
    friendlyName: mykey
    localKeyID: ...
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
... [magic key details] ...
-----END PRIVATE KEY-----
Bag Attributes
    friendlyName: mykey
    localKeyID: ...
subject=C = NO, O = ..., CN = Server Administrator

issuer=C = NO, O = ..., CN = Server Administrator

-----BEGIN CERTIFICATE-----
... [magic key details] ...
-----END CERTIFICATE-----

I also created a new certificate like this that worked without trouble:

# openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem
thoredge
  • 12,237
  • 1
  • 40
  • 55
  • I encountered the same and your solution of putting private and public into same pem file solved the issue, any idea what causing this? – hellojoshhhy May 16 '22 at 09:20