Forum Discussion

mishpan_70054's avatar
mishpan_70054
Icon for Nimbostratus rankNimbostratus
Jan 27, 2015

issue while using -pyControl with python2.7 (SSL: CERTIFICATE_VERIFY_FAILED)

While using python2.7 with pyControl, i am getting below error. After googling i have found that in python2.7 when script try to connect to LB it's try to verifiy the certifcate lb preseting and tha...
devops
iControl
John_Gruber_432's avatar
John_Gruber_432
Historic F5 Account
Jun 08, 2015

Your python urllib2 is requiring the use of ssl.context which the old python suds modules does not support. Python suds (which pycontrol uses for SOAP object creation/request marshalling) is not actively being maintained by our friends at RedHat anymore. The recommendation is that you move over to using the python requests modules and the iControl REST API.

Having said that, we know you can not move to iControl REST in production for BIG-IPs running TMOS earlier then 11.5.0. So it is back to the SOAP interfaces.

The added security check in the python ssl module is a good thing as it should force us to using non-self signed certificates on our devices. It however can be extremely annoying when you are attempting to use pycontrol to perform device onboarding, thus living with what we ship.

Have no fear... python patching can come to the rescue. Here is an example of run time patching the python modules in question to add a 'non-valididated' ssl context for use with pycontrol:

import urllib2

import ssl from suds import transport from suds.client import Client from suds.xsd.doctor import Import, ImportDoctor from pycontrol import pycontrol

IMP = Import('http://schemas.xmlsoap.org/soap/encoding/') DOCTOR = ImportDoctor(IMP) ICONTROL_URI = '/iControl/iControlPortal.cgi' SESSION_WSDL = 'System.Session'

class HTTPSUnVerifiedCertTransport(transport.https.HttpAuthenticated): def __init__(self, *args, **kwargs): transport.https.HttpAuthenticated.__init__(self, *args, **kwargs) def u2handlers(self): handlers = [] handlers.append(urllib2.ProxyHandler(self.proxy)) handlers.append(urllib2.HTTPBasicAuthHandler(self.pm)) python ssl Context support - PEP 0466 if hasattr(ssl, '_create_unverified_context'): ssl_context = ssl._create_unverified_context() handlers.append(urllib2.HTTPSHandler(context=ssl_context)) else: handlers.append(urllib2.HTTPSHandler()) return handlers

def new_get_suds_client(self, url, **kw): if not url.startswith("https"): t = transport.http.HttpAuthenticated(username=self.username, password=self.password) c = Client(url, transport=t, username=self.username, password=self.password, doctor=DOCTOR, **kw) else: t = HTTPSUnVerifiedCertTransport(username=self.username, password=self.password) c = Client(url, transport=t, username=self.username, password=self.password, doctor=DOCTOR, **kw) return c

pycontrol.BIGIP._get_suds_client = new_get_suds_client device = pycontrol.BIGIP(hostname='192.168.245.1', username='admin', password='admin', fromurl=True, wsdls=['LocalLB.Pool'])

Happy iControling..

John