Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Alpine 3.3, Python 2.7.11, urllib2 causing SSL: CERTIFICATE_VERIFY_FAILED

Tags:

python

ssl

alpine

I have this small Dockerfile

FROM alpine:3.3
RUN apk --update add python
CMD ["python", "-c", "import urllib2; response = urllib2.urlopen('https://www.python.org')"]

Building it with docker build -t alpine-py/01 . and then running it with docker run -it --rm alpine-py/01 creates the following output

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 449, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1240, in https_open
    context=self._context)
  File "/usr/lib/python2.7/urllib2.py", line 1197, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

Yesterday I got bitten by the recent OpenSSL 1.0.2g release, which caused py-cryptograpy to not compile. Luckily the guys from py-cryptography released a new version on PyPI a couple of hours later. The issue was that a function in OpenSSL got a new signature.

Could this be related or am I missing something?

like image 402
Daniel F Avatar asked Mar 03 '16 03:03

Daniel F


People also ask

What is SSL Certificate_verify_failed?

SSL certificate_verify_failed errors typically occur as a result of outdated Python default certificates or invalid root certificates. If you're a website owner and you're receiving this error, it could be because you're not using a valid SSL certificate.

Is Alpine good for Python?

Don't use Alpine Linux for Python images Unless you want massively slower build times, larger images, more work, and the potential for obscure bugs, you'll want to avoid Alpine Linux as a base image. For some recommendations on what you should use, see my article on choosing a good base image.

How do I verify a certificate in Python?

Certification holders may now have others easily verify their certification status by using a unique certificate verification code. The code can be found in the top right-hand corner on all digital certificates issued by the Python Institute.


2 Answers

You need to install ca-certificates to be able to validate signed certs by public CAs:

FROM alpine:3.3
RUN apk --no-cache add python ca-certificates
CMD ["python", "-c", "import urllib2; response = urllib2.urlopen('https://www.python.org')"]
like image 135
Andy Shinn Avatar answered Oct 15 '22 23:10

Andy Shinn


You will need to upgrade Alpine as libssl needs to be upgraded with a patch

FROM alpine:3.3
RUN apk -U upgrade && \
    apk -U add python ca-certificates && \
    update-ca-certificates
CMD ["python", "-c", "import urllib2; response = urllib2.urlopen('https://www.python.org')"]

apk -U upgrade will upgrade these:

  • libcrypto1.0 (1.0.2e-r0 -> 1.0.2g-r0)
  • libssl1.0 (1.0.2e-r0 -> 1.0.2g-r0)
like image 27
Simon Black Avatar answered Oct 15 '22 21:10

Simon Black