Error CERTIFICATE_VERIFY_FAILED while attempting to create a personal endpoint

[Paul Hodor]

I am trying to create a personal endpoint on a Linux system, following the instructions at https://docs.globus.org/how-to/globus-connect-personal-linux/. I am using the non-gui option. I am able to get an authorization code, but after I enter it, the setup script fails at the step where it verifies the certificate. Any suggestions how to specify a certificate location or skip verification? A transcript of the terminal session follows.

phodor@ewrlnxre60:~$ globusconnectpersonal -setup --no-gui

Globus Connect Personal needs you to log in to continue the setup process.

We will display a login URL. Copy it into any browser and log in to get a

single-use code. Return to this command with the code to continue setup.

Login here:

-----

https://auth.globus.org/v2/oauth2/authorize?client_id=4d6448ae-8ca0-40e4-aaa9-8ec8 ...

-----

Enter the auth code: qwQ...

Traceback (most recent call last):

  File "urllib/request.py", line 1318, in do_open

  File "http/client.py", line 1254, in request

  File "http/client.py", line 1300, in _send_request

  File "http/client.py", line 1249, in endheaders

  File "http/client.py", line 1036, in _send_output

  File "http/client.py", line 974, in send

  File "http/client.py", line 1415, in connect

  File "ssl.py", line 407, in wrap_socket

  File "ssl.py", line 817, in __init__

  File "ssl.py", line 1077, in do_handshake

  File "ssl.py", line 689, in do_handshake

ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

  File "main.py", line 11, in <module>

  File "lib/cli.py", line 193, in main

  File "lib/cli.py", line 116, in cli_endpoint_creation_flow

  File "lib/login.py", line 126, in do_native_app_authentication

  File "lib/login.py", line 184, in _do_native_app_authentication

  File "lib/api_clients.py", line 222, in exchange_code_for_tokens

  File "lib/api_clients.py", line 198, in oauth2_token

  File "lib/api_clients.py", line 171, in post

  File "lib/api_clients.py", line 155, in _request

  File "lib/api_clients.py", line 47, in __init__

  File "urllib/request.py", line 223, in urlopen

  File "urllib/request.py", line 526, in open

  File "urllib/request.py", line 544, in _open

  File "urllib/request.py", line 504, in _call_chain

  File "urllib/request.py", line 1361, in https_open

  File "urllib/request.py", line 1320, in do_open

urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>

Setup did not complete successfully.

You may want to check /home/phodor/.globusonline/lta/register.log for more information

[Michael Link]

Hi Paul,

I'm assuming your SSL traffic passes through a firewall that presents
its own certificate. If you have the CA cert for that, you should be
able to set the environment variable SSL_CERT_FILE to trust that cert.

SSL_CERT_FILE=/path/trusted-ca.pem ./globusconnectpersonal -setup --no-gui


If that doesn't help or you don't think that there is a firewall
certificate involved, you can verify the issuer with this command:
openssl s_client -connect auth.globus.org:443


Mike

[Paul Hodor]

Thank you , Mike. You have diagnosed to problem perfectly, although your solution did not work for me. The problem was solved by our security team by whitelisting all servers from the globus.org domain in the firewall. We determined that there were at least 2 different servers that the setup process was connecting to.

Paul

--
To unsubscribe from this topic, visit https://groups.google.com/a/globus.org/d/topic/admin-discuss/KeAN9rv8ONk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to admin-discus...@globus.org.