Has anyone had success with fixing SSL CERTIFICATE_VERIFY_FAILED on a Corporate Network

[jrod...@gmail.com]

I'm experiencing the below SSL Certificate Error whilst trying to use the -report flag.  This also prevents the PluginsManager from connecting as well.

The root cause appears to be that our corporate network issues a certificate that fails validation.  Anything that goes through python seems to fail (i.e. pip).

Things tried:

- Upgraded to python3.6 (below example is from prior to my upgrade)

- installed certifi

- ran on a non corporate network (works fine)

- ran on linux, mac windows

- imported the corporate Cert to the openSSL folder & the python cert folder.

- read just about every single solution on stack overflow (which hasnt worked).

- re-installed everything, got the latest versions on everything, upgraded, downgraded

- prayed to multiple gods

- yelled at Karen from finance (sorry Karen, having a bad day)

Unfortunately i'm unable to crack the correct solution for this on any of the operating systems.  Either i'm doing something fundamentally wrong, or the corporate network cert is the cause (which I cant change).

The questions:

1) Has anyone has success in fixing the issue, if so how?  I suspect I'm doing the Cert install wrong?

2) Andrey, is it possible to introduce a feature to toggle on "verify=False" in the call to Blazemeter Reporting?  I updated the bza.py file to the following and my reports are working fine in Blazemeter now.  I'd rather a supported feature than a hack if possible.

response = self.http_request(method=log_method, url=url, data=data, headers=headers, cookies=self._cookies,

                                     timeout=self.timeout, verify=False)

Error

11:56:10 WARNING: No BlazeMeter API key provided, will upload anonymously

11:56:11 ERROR: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

Traceback (most recent call last):

  File "/usr/local/lib/python2.7/site-packages/bzt/cli.py", line 215, in perform

    self.engine.prepare()

  File "/usr/local/lib/python2.7/site-packages/bzt/engine.py", line 132, in prepare

    self.__prepare_reporters()

  File "/usr/local/lib/python2.7/site-packages/bzt/engine.py", line 485, in __prepare_reporters

    module.prepare()

  File "/usr/local/lib/python2.7/site-packages/bzt/modules/blazemeter.py", line 183, in prepare

    self._user.ping()  # to check connectivity and auth

  File "/usr/local/lib/python2.7/site-packages/bzt/bza.py", line 146, in ping

    self._request(self.address + '/api/v4/web/version')

  File "/usr/local/lib/python2.7/site-packages/bzt/bza.py", line 85, in _request

    timeout=self.timeout)

  File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 56, in request

    return session.request(method=method, url=url, **kwargs)

  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 488, in request

    resp = self.send(prep, **send_kwargs)

  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 609, in send

    r = adapter.send(request, **kwargs)

  File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 497, in send

    raise SSLError(e, request=request)

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

[ta...@blazemeter.com]

Hi

Thanks for the idea, we'll discuss it.

---

Taras

[Craig Harris]

It appears that recent changes in SSL have gone beyond what is covered in the base Python 2.7.

I was able to make all of my issues go away by upgrading to Python 2.7.9

I am running on a Mac but have chosen to use Vagrant to isolate my configuration and allow for easy sharing

I have attached my Vagrant setup files.

You can either try running them directly or review the contents of provision.sh to see how I upgraded to a later version of Python

Thanks,

Craig

[deep...@gmail.com]

Hi!! Any  further update on this? I'm facing the same issue too. Appreciate any inputs in this regard.

[grey....@gmail.com]

Hi, deep. 

Could you explain what 'the same issue' means? And attach your bzt.log, please.

---

Taras

[deep...@gmail.com]

Hi,

It appeared that my corporate proxy may have been playing a part for this SSL Certificate error. I've tried running proxy2jmx from my home & mobile networks and seems to have run through fine.

Thanks,

Deepak

On Wednesday, June 28, 2017 at 5:01:01 PM UTC+10, Jar Rod wrote:

[grey....@gmail.com]

Thanks for info, Deepak.

---

Taras

[deep...@gmail.com]

Hi.. I'm troubleshooting [SSL: CERTIFICATE_VERIFY_FAILED]error when running Taurus Proxy2JMX behind my company's proxy. I've updated cacert.pem with relevant certificate fingerprints, under both Python3.4 and 3.64 versions but seeing the below error despite sending through the correct Blazemeter API Key (with 2 parts). Any more inputs/clues please? I would highly appreciate any help/assistance in this regard.

Network Error: API call error https://a.blazemeter.com/api/latest/proxy: {'code': 401, 'message': 'Unauthorized'}

On Wednesday, June 28, 2017 at 5:01:01 PM UTC+10, Jar Rod wrote:

[Andrey Pokhilko]

Hi,

Did you specify your BlazeMeter API key? Also, if your proxy requires authentication, did you specify it inside YAML settings?

Andrey Pohilko Chief Scientist P: +7 (909) 631-21-69

08.02.2018 05:47, deep...@gmail.com пишет:

CAUTION: This email originated from outside of CA. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi.. I'm troubleshoot this error when running Taurus Proxy2JMX through my company's proxy. I've updated cacert.pem under both Python3.4 and 3.64 versions with relevant certificate fingerprints but seeing the below error despite sending through the correct Blazemeter API Key (with 2 parts). Any more inputs/clues please? I would highly appreciate any help/assistance in this regard.

Network Error: API call error https://a.blazemeter.com/api/latest/proxy: {'code': 401, 'message': 'Unauthorized'}



On Wednesday, June 28, 2017 at 5:01:01 PM UTC+10, Jar Rod wrote:

--
You received this message because you are subscribed to the Google Groups "codename-taurus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to codename-taur...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/codename-taurus/d0f50d56-b290-4758-83f1-18019dd91ec5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[deep...@gmail.com]

Hi Andrey,

Yes, i did specify my Blazemeter API key and have also tried passing in my credentials for proxy authentication but still no luck. 

For your reference, please find my convert_to_jmx.yml below. (have masked my API key and credentials). Please let me know if you have any further inputs/suggestions.

---

settings:

  proxy:

    address: proxy.threatpulse.net:8080

    username:XXXX

    password: XXXXX

  

execution:

- executor: selenium

  iterations: 1

  scenario: trial

            

scenarios:

  trial:

    script: C:/Program Files/Taurus/examples/selenium/LFS-ODDS/src/test/java/com/lfs/odds/runner/RunCukesTest.java

    additional-classpath: 

    - C:/Program Files/Taurus/examples/selenium/LFS-ODDS/src/test/java/com/lfs/odds/utility/HtmlReport.jar

    - C:/Program Files/Taurus/examples/selenium/LFS-ODDS/src/test/java/com/lfs/odds/utility/Log4j.jar

    - C:/Program Files/Taurus/examples/selenium/LFS-ODDS/src/test/java/com/lfs/odds/runner/cucumber-junit-1.2.4

        

services:

- module: proxy2jmx

modules:

  blazemeter:

    token: xxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[Andrey Pokhilko]

Sorry, I'm out of ideas here. Seems your proxy is unable to pass through Python traffic.

Andrey Pohilko Chief Scientist P: +7 (909) 631-21-69

09.02.2018 01:34, deep...@gmail.com пишет:

To view this discussion on the web visit https://groups.google.com/d/msgid/codename-taurus/9a8d36e7-88be-4cb7-9ee6-27544a68e569%40googlegroups.com.

[Jar Rod]

- Try a few different options for the proxy username including domain, email style username. e.g. threatpulse\deepak or dee...@threatpulse.net

- Whitelist both a.blazemeter.com and data.blazemeter.com on your proxy. Both port 443.

Some proxies may have an additional user step to accept terms and conditions when navigating to non-whitelisted sites.   Taurus does not support this.  This will affect both the blazemeter report data calls as well as your JMeter scripts.

[deep...@gmail.com]

Hi,

I already have both a.blazemeter.com and data.blazemeter,com URL's whitelisted on my proxy/corporate network but still the same error. As another trial, I've also had these URL's exempted from SSL Interception within my corporate network and below is the error (both Python 3.5 and 3.6.4) from this run. Any more inputs please?

[2018-02-12 10:01:49,074 ERROR root] ConnectionError: ('Connection aborted.', OSError(10038, 'An operation was attempted on something that is not a socket', None, 10038, None))

  File "C:\Program Files\Python35\lib\site-packages\bzt\cli.py", line 248, in perform

    self.engine.prepare()

  File "C:\Program Files\Python35\lib\site-packages\bzt\engine.py", line 165, in prepare

    self.__prepare_services()

  File "C:\Program Files\Python35\lib\site-packages\bzt\engine.py", line 554, in __prepare_services

    module.prepare()

  File "C:\Program Files\Python35\lib\site-packages\bzt\modules\proxy2jmx.py", line 56, in prepare

    self.proxy_addr = self.proxy.get_addr()

  File "C:\Program Files\Python35\lib\site-packages\bzt\bza.py", line 736, in get_addr

    response = self._request(self.address + '/api/latest/proxy')

  File "C:\Program Files\Python35\lib\site-packages\bzt\bza.py", line 87, in _request

    response = self.http_request(method=log_method, url=url, data=data, headers=headers, timeout=self.timeout)

  File "C:\Program Files\Python35\lib\site-packages\requests\sessions.py", line 508, in request

    resp = self.send(prep, **send_kwargs)

  File "C:\Program Files\Python35\lib\site-packages\requests\sessions.py", line 618, in send

    r = adapter.send(request, **kwargs)

  File "C:\Program Files\Python35\lib\site-packages\requests\adapters.py", line 503, in send

    raise ConnectionError(err, request=request)

[Sarvesh Dubey]

I was able to get reporting over corporate poxy by setting http_proxy and https_proxy env variables on windows machine. refer https://stackoverflow.com/questions/11726881/how-to-set-an-http-proxy-in-python-2-7

[Brian King]

You are likely on a network where the proxy is monitoring your traffic by inserting itself in the middle of the communication by using a fake cert.

You have a few options, 2 of which are:

1) obtain the CA cert (public portion) and install it in your python certifi modules cacert.pem (.../lib/python3.7/site-packages/pip/_vendor/certifi/cacert.pem). This will tell python/bzt to accept the fake certs signed by your corporations fake CA. If your corporate proxy works from your windows machine, you can likely find this cert in the windows cert store (Run certmgr.msc, look in "Trusted Root Cert...")

or

2) disable bzt certificate checking.

  a)  Create a proxy.yaml file with the following, and add "proxy.yaml' to all your bzt command lines so that this option will be merged into your test config

  settings:

    proxy:

      ssl-cert: false

or b) add "-o settings.proxy.ssl-cert=false" to all your bzt command lines.

Choosing option 2, you will get warnings like the following which won't impact your tests, and assuming your corporate proxy is doing the verification for you, shouldn't be too unsafe either (although someone inside your network could impersonate your proxy):

    InsecureRequestWarning: Unverified HTTPS request is being made to host 'gettaurus.org'. Adding certificate verification is strongly advised.