Has anyone had success with fixing SSL CERTIFICATE_VERIFY_FAILED on a Corporate Network

1,569 views
Skip to first unread message

jrod...@gmail.com

unread,
Jun 28, 2017, 3:01:01 AM6/28/17
to codename-taurus
I'm experiencing the below SSL Certificate Error whilst trying to use the -report flag.  This also prevents the PluginsManager from connecting as well.

The root cause appears to be that our corporate network issues a certificate that fails validation.  Anything that goes through python seems to fail (i.e. pip).

Things tried:
- Upgraded to python3.6 (below example is from prior to my upgrade)
- installed certifi
- ran on a non corporate network (works fine)
- ran on linux, mac windows
- imported the corporate Cert to the openSSL folder & the python cert folder.
- read just about every single solution on stack overflow (which hasnt worked).
- re-installed everything, got the latest versions on everything, upgraded, downgraded
- prayed to multiple gods
- yelled at Karen from finance (sorry Karen, having a bad day)

Unfortunately i'm unable to crack the correct solution for this on any of the operating systems.  Either i'm doing something fundamentally wrong, or the corporate network cert is the cause (which I cant change).

The questions:
1) Has anyone has success in fixing the issue, if so how?  I suspect I'm doing the Cert install wrong?
2) Andrey, is it possible to introduce a feature to toggle on "verify=False" in the call to Blazemeter Reporting?  I updated the bza.py file to the following and my reports are working fine in Blazemeter now.  I'd rather a supported feature than a hack if possible.
response = self.http_request(method=log_method, url=url, data=data, headers=headers, cookies=self._cookies,
                                     timeout=self.timeout, verify=False)

Error

11:56:10 WARNING: No BlazeMeter API key provided, will upload anonymously

11:56:11 ERROR: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

Traceback (most recent call last):

  File "/usr/local/lib/python2.7/site-packages/bzt/cli.py", line 215, in perform

    self.engine.prepare()

  File "/usr/local/lib/python2.7/site-packages/bzt/engine.py", line 132, in prepare

    self.__prepare_reporters()

  File "/usr/local/lib/python2.7/site-packages/bzt/engine.py", line 485, in __prepare_reporters

    module.prepare()

  File "/usr/local/lib/python2.7/site-packages/bzt/modules/blazemeter.py", line 183, in prepare

    self._user.ping()  # to check connectivity and auth

  File "/usr/local/lib/python2.7/site-packages/bzt/bza.py", line 146, in ping

    self._request(self.address + '/api/v4/web/version')

  File "/usr/local/lib/python2.7/site-packages/bzt/bza.py", line 85, in _request

    timeout=self.timeout)

  File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 56, in request

    return session.request(method=method, url=url, **kwargs)

  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 488, in request

    resp = self.send(prep, **send_kwargs)

  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 609, in send

    r = adapter.send(request, **kwargs)

  File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 497, in send

    raise SSLError(e, request=request)

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

ta...@blazemeter.com

unread,
Jun 28, 2017, 3:36:15 AM6/28/17
to codename-taurus, jrod...@gmail.com
Hi
Thanks for the idea, we'll discuss it.

---
Taras

Craig Harris

unread,
Jul 9, 2017, 12:18:13 AM7/9/17
to codename-taurus, jrod...@gmail.com
It appears that recent changes in SSL have gone beyond what is covered in the base Python 2.7.
I was able to make all of my issues go away by upgrading to Python 2.7.9
I am running on a Mac but have chosen to use Vagrant to isolate my configuration and allow for easy sharing

I have attached my Vagrant setup files.
You can either try running them directly or review the contents of provision.sh to see how I upgraded to a later version of Python

Thanks,

Craig
provision.sh
Vagrantfile

deep...@gmail.com

unread,
Jan 22, 2018, 12:12:12 AM1/22/18
to codename-taurus
Hi!! Any  further update on this? I'm facing the same issue too. Appreciate any inputs in this regard.

grey....@gmail.com

unread,
Jan 23, 2018, 12:23:15 AM1/23/18
to codename-taurus
Hi, deep. 
Could you explain what 'the same issue' means? And attach your bzt.log, please.

---
Taras

deep...@gmail.com

unread,
Jan 23, 2018, 6:13:29 PM1/23/18
to codename-taurus
Hi,

It appeared that my corporate proxy may have been playing a part for this SSL Certificate error. I've tried running proxy2jmx from my home & mobile networks and seems to have run through fine.

Thanks,
Deepak


On Wednesday, June 28, 2017 at 5:01:01 PM UTC+10, Jar Rod wrote:

grey....@gmail.com

unread,
Jan 24, 2018, 12:12:02 AM1/24/18
to codename-taurus
Thanks for info, Deepak.
---
Taras
Message has been deleted

deep...@gmail.com

unread,
Feb 7, 2018, 10:31:05 PM2/7/18
to codename-taurus
Hi.. I'm troubleshooting [SSL: CERTIFICATE_VERIFY_FAILED]error when running Taurus Proxy2JMX behind my company's proxy. I've updated cacert.pem with relevant certificate fingerprints, under both Python3.4 and 3.64 versions but seeing the below error despite sending through the correct Blazemeter API Key (with 2 parts). Any more inputs/clues please? I would highly appreciate any help/assistance in this regard.

Network Error: API call error https://a.blazemeter.com/api/latest/proxy: {'code': 401, 'message': 'Unauthorized'}


On Wednesday, June 28, 2017 at 5:01:01 PM UTC+10, Jar Rod wrote:

Andrey Pokhilko

unread,
Feb 8, 2018, 2:05:08 AM2/8/18
to codenam...@googlegroups.com

Hi,

Did you specify your BlazeMeter API key? Also, if your proxy requires authentication, did you specify it inside YAML settings?


Andrey Pohilko
Chief Scientist
P: +7 (909) 631-21-69
BlazeMeter Inc.
08.02.2018 05:47, deep...@gmail.com пишет:
CAUTION: This email originated from outside of CA. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi.. I'm troubleshoot this error when running Taurus Proxy2JMX through my company's proxy. I've updated cacert.pem under both Python3.4 and 3.64 versions with relevant certificate fingerprints but seeing the below error despite sending through the correct Blazemeter API Key (with 2 parts). Any more inputs/clues please? I would highly appreciate any help/assistance in this regard.


Network Error: API call error https://a.blazemeter.com/api/latest/proxy: {'code': 401, 'message': 'Unauthorized'}



On Wednesday, June 28, 2017 at 5:01:01 PM UTC+10, Jar Rod wrote:
--
You received this message because you are subscribed to the Google Groups "codename-taurus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to codename-taur...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/codename-taurus/d0f50d56-b290-4758-83f1-18019dd91ec5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

deep...@gmail.com

unread,
Feb 8, 2018, 5:34:21 PM2/8/18
to codename-taurus
Hi Andrey,

Yes, i did specify my Blazemeter API key and have also tried passing in my credentials for proxy authentication but still no luck. 
For your reference, please find my convert_to_jmx.yml below. (have masked my API key and credentials). Please let me know if you have any further inputs/suggestions.

---
settings:
  proxy:
    username:XXXX
    password: XXXXX
  
execution:
- executor: selenium
  iterations: 1
  scenario: trial
            
scenarios:
  trial:
    script: C:/Program Files/Taurus/examples/selenium/LFS-ODDS/src/test/java/com/lfs/odds/runner/RunCukesTest.java
    additional-classpath: 
    - C:/Program Files/Taurus/examples/selenium/LFS-ODDS/src/test/java/com/lfs/odds/utility/HtmlReport.jar
    - C:/Program Files/Taurus/examples/selenium/LFS-ODDS/src/test/java/com/lfs/odds/utility/Log4j.jar
    - C:/Program Files/Taurus/examples/selenium/LFS-ODDS/src/test/java/com/lfs/odds/runner/cucumber-junit-1.2.4
        
services:
- module: proxy2jmx

modules:
  blazemeter:
    token: xxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Andrey Pokhilko

unread,
Feb 9, 2018, 2:45:24 AM2/9/18
to codenam...@googlegroups.com

Sorry, I'm out of ideas here. Seems your proxy is unable to pass through Python traffic.


Andrey Pohilko
Chief Scientist
P: +7 (909) 631-21-69
BlazeMeter Inc.
09.02.2018 01:34, deep...@gmail.com пишет:

Jar Rod

unread,
Feb 9, 2018, 3:37:01 PM2/9/18
to codename-taurus
- Try a few different options for the proxy username including domain, email style username. e.g. threatpulse\deepak or dee...@threatpulse.net
- Whitelist both a.blazemeter.com and data.blazemeter.com on your proxy. Both port 443.

Some proxies may have an additional user step to accept terms and conditions when navigating to non-whitelisted sites.   Taurus does not support this.  This will affect both the blazemeter report data calls as well as your JMeter scripts.

deep...@gmail.com

unread,
Feb 11, 2018, 6:39:48 PM2/11/18
to codename-taurus
Hi,

I already have both a.blazemeter.com and data.blazemeter,com URL's whitelisted on my proxy/corporate network but still the same error. As another trial, I've also had these URL's exempted from SSL Interception within my corporate network and below is the error (both Python 3.5 and 3.6.4) from this run. Any more inputs please?

[2018-02-12 10:01:49,074 ERROR root] ConnectionError: ('Connection aborted.', OSError(10038, 'An operation was attempted on something that is not a socket', None, 10038, None))
  File "C:\Program Files\Python35\lib\site-packages\bzt\cli.py", line 248, in perform
    self.engine.prepare()
  File "C:\Program Files\Python35\lib\site-packages\bzt\engine.py", line 165, in prepare
    self.__prepare_services()
  File "C:\Program Files\Python35\lib\site-packages\bzt\engine.py", line 554, in __prepare_services
    module.prepare()
  File "C:\Program Files\Python35\lib\site-packages\bzt\modules\proxy2jmx.py", line 56, in prepare
    self.proxy_addr = self.proxy.get_addr()
  File "C:\Program Files\Python35\lib\site-packages\bzt\bza.py", line 736, in get_addr
    response = self._request(self.address + '/api/latest/proxy')
  File "C:\Program Files\Python35\lib\site-packages\bzt\bza.py", line 87, in _request
    response = self.http_request(method=log_method, url=url, data=data, headers=headers, timeout=self.timeout)
  File "C:\Program Files\Python35\lib\site-packages\requests\sessions.py", line 508, in request
    resp = self.send(prep, **send_kwargs)
  File "C:\Program Files\Python35\lib\site-packages\requests\sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
  File "C:\Program Files\Python35\lib\site-packages\requests\adapters.py", line 503, in send
    raise ConnectionError(err, request=request)

Sarvesh Dubey

unread,
Apr 30, 2018, 6:28:13 AM4/30/18
to codename-taurus
I was able to get reporting over corporate poxy by setting http_proxy and https_proxy env variables on windows machine. refer https://stackoverflow.com/questions/11726881/how-to-set-an-http-proxy-in-python-2-7

Brian King

unread,
Sep 21, 2020, 7:18:18 PM9/21/20
to codename-taurus
You are likely on a network where the proxy is monitoring your traffic by inserting itself in the middle of the communication by using a fake cert.
You have a few options, 2 of which are:

1) obtain the CA cert (public portion) and install it in your python certifi modules cacert.pem (.../lib/python3.7/site-packages/pip/_vendor/certifi/cacert.pem). This will tell python/bzt to accept the fake certs signed by your corporations fake CA. If your corporate proxy works from your windows machine, you can likely find this cert in the windows cert store (Run certmgr.msc, look in "Trusted Root Cert...")

or

2) disable bzt certificate checking.
  a)  Create a proxy.yaml file with the following, and add "proxy.yaml' to all your bzt command lines so that this option will be merged into your test config
  settings:
    proxy:
      ssl-cert: false

or b) add "-o settings.proxy.ssl-cert=false" to all your bzt command lines.

Choosing option 2, you will get warnings like the following which won't impact your tests, and assuming your corporate proxy is doing the verification for you, shouldn't be too unsafe either (although someone inside your network could impersonate your proxy):

    InsecureRequestWarning: Unverified HTTPS request is being made to host 'gettaurus.org'. Adding certificate verification is strongly advised.
  

Reply all
Reply to author
Forward
0 new messages