I am currently looking to test the ubuntu-pro solution. Unfortunately, due to a strict network policy, I am unable too task with contracts.canonical.com
root@LAB:/srv/outline# pro --help
Failed to access URL: https://contracts.canonical.com/v1/resources?architecture=amd64&kernel=5.4.0-136-generic&series=focal
Cannot verify certificate of server
Please check your openssl configuration.
Digging a little bit, we can see that certificate is rejected.
2023-01-17 15:53:00,149 - util.py:(310) [DEBUG]: URL [POST]: https://contracts.canonical.com/v1/context/machines/token, headers: {'Authorization': 'Bearer <REDACTED>', 'accept': 'application/json', 'content-type': 'application/json', 'user-agent': 'UA-Client/27.12~20.04.1'}, data: {"machineId": "d311ff4eff964777b3c0aeaaf9e00d97", "architecture": "amd64", "os": {"distribution": "Ubuntu", "type": "Linux", "version": "20.04 LTS (Focal Fossa)", "release": "20.04", "series": "focal", "kernel": "5.4.0-136-generic"}}
2023-01-17 15:53:00,203 - contract.py:(602) [ERROR]: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)
Traceback (most recent call last):
File "/usr/lib/python3.8/urllib/request.py", line 1354, in do_open
h.request(req.get_method(), req.selector, req.data, headers,
File "/usr/lib/python3.8/http/client.py", line 1256, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib/python3.8/http/client.py", line 1302, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib/python3.8/http/client.py", line 1251, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib/python3.8/http/client.py", line 1011, in _send_output
self.send(msg)
File "/usr/lib/python3.8/http/client.py", line 951, in send
self.connect()
File "/usr/lib/python3.8/http/client.py", line 1425, in connect
self.sock = self._context.wrap_socket(self.sock,
File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)
Checking where urllib might grab certificates
root@LAB:/usr/local/share/ca-certificates# python3.8 -c "import ssl; print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile='/usr/lib/ssl/cert.pem', capath='/usr/lib/ssl/certs', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/lib/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/lib/ssl/certs')
But no result. We added our Root Certificate Authority and Sub certificate authority but still the same error. I check with CURL by setting the path and certificate are consumed.
I tried to also put directly the certificate of contracts.canonical.com but same issue.
I tried to put cert files in
- /usr/local/share/ca-certificates
- /usr/share/ca-certificates
- /etc/ssl/certs
- /usr/lib/ssl/certs
- /usr/lib/ssl/cert.pem
Could someone please advise us on this ?
