Forum Discussion
mishpan_70054
Nimbostratus
Nimbostratusissue while using -pyControl with python2.7 (SSL: CERTIFICATE_VERIFY_FAILED)
While using python2.7 with pyControl, i am getting below error. After googling i have found that in python2.7 when script try to connect to LB it's try to verifiy the certifcate lb preseting and that's where it failing. Can some suggest some solution
b = pc.BIGIP( hostname = '192.168.0.54', username = 'admin', password = 'abc @123', fromurl = True, wsdls = ['LocalLB.Pool']) Traceback (most recent call last): File "", line 1, in File "C:\Python27\lib\site-packages\pycontrol\pycontrol.py", line 103, in in it self.clients = self._get_clients() File "C:\Python27\lib\site-packages\pycontrol\pycontrol.py", line 145, in _get _clients sudsclient = self._get_suds_client(url,**self.kw) File "C:\Python27\lib\site-packages\pycontrol\pycontrol.py", line 190, in _get _suds_client password=self.password,doctor=DOCTOR,**kw) File "C:\Python27\lib\site-packages\suds\client.py", line 112, in init self.wsdl = reader.open(url) File "C:\Python27\lib\site-packages\suds\reader.py", line 152, in open d = self.fn(url, self.options) File "C:\Python27\lib\site-packages\suds\wsdl.py", line 136, in init d = reader.open(url) File "C:\Python27\lib\site-packages\suds\reader.py", line 79, in open d = self.download(url) File "C:\Python27\lib\site-packages\suds\reader.py", line 95, in download fp = self.options.transport.open(Request(url)) File "C:\Python27\lib\site-packages\suds\transport\https.py", line 60, in open return HttpTransport.open(self, request)
File "C:\Python27\lib\site-packages\suds\transport\http.py", line 62, in open return self.u2open(u2request) File "C:\Python27\lib\site-packages\suds\transport\http.py", line 118, in u2op en return url.open(u2request, timeout=tm) File "C:\Python27\lib\urllib2.py", line 431, in open response = self._open(req, data) File "C:\Python27\lib\urllib2.py", line 449, in _open '_open', req) File "C:\Python27\lib\urllib2.py", line 409, in _call_chain result = func(*args) File "C:\Python27\lib\urllib2.py", line 1240, in https_open context=self._context) File "C:\Python27\lib\urllib2.py", line 1197, in do_open raise URLError(err) urllib2.URLError:
What_Lies_Bene1Cirrostratus
Do you have bigsuds installed? I suspect not.
mishpan_70054No i have not install bigsuds, i am using pyControl.
- mishpan_70054also just tried by bigsuds getting same error
b = bigsuds.BIGIP(hostname = '192.168.0.54', username = 'admin', password = 'abc@123',) b.GlobalLB.Pool.get_list() Traceback (most recent call last): File "", line 1, in File "bigsuds.py", line 313, in getattr client = self._client_creator('%s.%s' % (self._name, attr)) File "bigsuds.py", line 142, in _create_client raise Connecti (str(e)) bigsuds.Connecti :
mimlo_61970Cumulonimbus
Easiest way is to add the certificate to the trusted list. If it is a self-signed certificate on the F5, I am not entirely sure how to proceed. I use a linux server as a CA and issue all of my certs from that.
That link has methods to install certs as trusted into many different OSes
- mishpan_70054
hi mimlo
i have added the certificate as suggest till getting same error :-(
- mimlo_61970what version of python do you have? I cannot duplicate in 2.7.6 Also, if you use wget or curl to access the F5 URL, do you get a cert error? If you do, the ca cert is not installed correctly.
- mishpan_70054
I am using python v2.7.9.
- mishpan_70054
Hi mimlo, i have downgrade to python2.6, now i am able to run all command's.
Bernie_10630Yes, this is a problem in 2.7.9. 2.7.9 has lots of change regarding how ssl is handle. urllib2 is affected by this and is what suds uses which is a requirement for bigsuds. This should not be a problem if you have valid and verify able cert with a CA chain.
Your python urllib2 is requiring the use of ssl.context which the old python suds modules does not support. Python suds (which pycontrol uses for SOAP object creation/request marshalling) is not actively being maintained by our friends at RedHat anymore. The recommendation is that you move over to using the python requests modules and the iControl REST API.
Having said that, we know you can not move to iControl REST in production for BIG-IPs running TMOS earlier then 11.5.0. So it is back to the SOAP interfaces.
The added security check in the python ssl module is a good thing as it should force us to using non-self signed certificates on our devices. It however can be extremely annoying when you are attempting to use pycontrol to perform device onboarding, thus living with what we ship.
Have no fear... python patching can come to the rescue. Here is an example of run time patching the python modules in question to add a 'non-valididated' ssl context for use with pycontrol:
import urllib2import ssl from suds import transport from suds.client import Client from suds.xsd.doctor import Import, ImportDoctor from pycontrol import pycontrol
IMP = Import('http://schemas.xmlsoap.org/soap/encoding/') DOCTOR = ImportDoctor(IMP) ICONTROL_URI = '/iControl/iControlPortal.cgi' SESSION_WSDL = 'System.Session'
class HTTPSUnVerifiedCertTransport(transport.https.HttpAuthenticated): def __init__(self, *args, **kwargs): transport.https.HttpAuthenticated.__init__(self, *args, **kwargs) def u2handlers(self): handlers = [] handlers.append(urllib2.ProxyHandler(self.proxy)) handlers.append(urllib2.HTTPBasicAuthHandler(self.pm)) python ssl Context support - PEP 0466 if hasattr(ssl, '_create_unverified_context'): ssl_context = ssl._create_unverified_context() handlers.append(urllib2.HTTPSHandler(context=ssl_context)) else: handlers.append(urllib2.HTTPSHandler()) return handlers
def new_get_suds_client(self, url, **kw): if not url.startswith("https"): t = transport.http.HttpAuthenticated(username=self.username, password=self.password) c = Client(url, transport=t, username=self.username, password=self.password, doctor=DOCTOR, **kw) else: t = HTTPSUnVerifiedCertTransport(username=self.username, password=self.password) c = Client(url, transport=t, username=self.username, password=self.password, doctor=DOCTOR, **kw) return c
pycontrol.BIGIP._get_suds_client = new_get_suds_client device = pycontrol.BIGIP(hostname='192.168.245.1', username='admin', password='admin', fromurl=True, wsdls=['LocalLB.Pool'])
Happy iControling..
John
Let's try that again.. I'll stop fighting Dev Central and use an 'acceptable browser'... Here is the code example to runtime patch suds:
import urllib2 import ssl from suds import transport from suds.client import Client from suds.xsd.doctor import Import, ImportDoctor from pycontrol import pycontrol IMP = Import('[http://schemas.xmlsoap.org/soap/encoding/](http://schemas.xmlsoap.org/soap/encoding/)') DOCTOR = ImportDoctor(IMP) ICONTROL_URI = '/iControl/iControlPortal.cgi' SESSION_WSDL = 'System.Session' class HTTPSUnVerifiedCertTransport(transport.https.HttpAuthenticated): def __init__(self, *args, **kwargs): transport.https.HttpAuthenticated.__init__(self, *args, **kwargs) def u2handlers(self): handlers = [] handlers.append(urllib2.ProxyHandler(self.proxy)) handlers.append(urllib2.HTTPBasicAuthHandler(self.pm)) python ssl Context support - PEP 0466 if hasattr(ssl, '_create_unverified_context'): ssl_context = ssl._create_unverified_context() handlers.append(urllib2.HTTPSHandler(context=ssl_context)) else: handlers.append(urllib2.HTTPSHandler()) return handlers def new_get_suds_client(self, url, **kw): if not url.startswith("https"): t = transport.http.HttpAuthenticated(username=self.username, password=self.password) c = Client(url, transport=t, username=self.username, password=self.password, doctor=DOCTOR, **kw) else: t = HTTPSUnVerifiedCertTransport(username=self.username, password=self.password) c = Client(url, transport=t, username=self.username, password=self.password, doctor=DOCTOR, **kw) return c pycontrol.BIGIP._get_suds_client = new_get_suds_client device = pycontrol.BIGIP(hostname='192.168.245.1', username='admin', password='admin', fromurl=True, wsdls=['LocalLB.Pool'])- tjsauter_208299Excellent! Exactly what I needed, thanks for posting
