Forum Discussion

mishpan_70054's avatar
mishpan_70054
Icon for Nimbostratus rankNimbostratus
Jan 27, 2015

issue while using -pyControl with python2.7 (SSL: CERTIFICATE_VERIFY_FAILED)

While using python2.7 with pyControl, i am getting below error. After googling i have found that in python2.7 when script try to connect to LB it's try to verifiy the certifcate lb preseting and that's where it failing. Can some suggest some solution

 

b = pc.BIGIP( hostname = '192.168.0.54', username = 'admin', password = 'abc @123', fromurl = True, wsdls = ['LocalLB.Pool']) Traceback (most recent call last): File "", line 1, in File "C:\Python27\lib\site-packages\pycontrol\pycontrol.py", line 103, in in it self.clients = self._get_clients() File "C:\Python27\lib\site-packages\pycontrol\pycontrol.py", line 145, in _get _clients sudsclient = self._get_suds_client(url,**self.kw) File "C:\Python27\lib\site-packages\pycontrol\pycontrol.py", line 190, in _get _suds_client password=self.password,doctor=DOCTOR,**kw) File "C:\Python27\lib\site-packages\suds\client.py", line 112, in init self.wsdl = reader.open(url) File "C:\Python27\lib\site-packages\suds\reader.py", line 152, in open d = self.fn(url, self.options) File "C:\Python27\lib\site-packages\suds\wsdl.py", line 136, in init d = reader.open(url) File "C:\Python27\lib\site-packages\suds\reader.py", line 79, in open d = self.download(url) File "C:\Python27\lib\site-packages\suds\reader.py", line 95, in download fp = self.options.transport.open(Request(url)) File "C:\Python27\lib\site-packages\suds\transport\https.py", line 60, in open return HttpTransport.open(self, request)

 

File "C:\Python27\lib\site-packages\suds\transport\http.py", line 62, in open return self.u2open(u2request) File "C:\Python27\lib\site-packages\suds\transport\http.py", line 118, in u2op en return url.open(u2request, timeout=tm) File "C:\Python27\lib\urllib2.py", line 431, in open response = self._open(req, data) File "C:\Python27\lib\urllib2.py", line 449, in _open '_open', req) File "C:\Python27\lib\urllib2.py", line 409, in _call_chain result = func(*args) File "C:\Python27\lib\urllib2.py", line 1240, in https_open context=self._context) File "C:\Python27\lib\urllib2.py", line 1197, in do_open raise URLError(err) urllib2.URLError:

 

devops
iControl

12 Replies

Sort By
  • mishpan_70054's avatar
    mishpan_70054
    Icon for Nimbostratus rankNimbostratus
    Jan 27, 2015
    also just tried by bigsuds getting same error

    b = bigsuds.BIGIP(hostname = '192.168.0.54', username = 'admin', password = 'abc@123',) b.GlobalLB.Pool.get_list() Traceback (most recent call last): File "", line 1, in File "bigsuds.py", line 313, in getattr client = self._client_creator('%s.%s' % (self._name, attr)) File "bigsuds.py", line 142, in _create_client raise Connecti (str(e)) bigsuds.Connecti :

     

  • mishpan_70054's avatar
    mishpan_70054
    Icon for Nimbostratus rankNimbostratus
    Jan 28, 2015

    hi mimlo

     

    i have added the certificate as suggest till getting same error :-(

     

    • mimlo_61970's avatar
      mimlo_61970
      Icon for Cumulonimbus rankCumulonimbus
      Jan 28, 2015
      what version of python do you have? I cannot duplicate in 2.7.6 Also, if you use wget or curl to access the F5 URL, do you get a cert error? If you do, the ca cert is not installed correctly.
  • mishpan_70054's avatar
    mishpan_70054
    Icon for Nimbostratus rankNimbostratus
    Jan 29, 2015

    Hi mimlo, i have downgrade to python2.6, now i am able to run all command's.

     

  • Bernie_10630's avatar
    Bernie_10630
    Icon for Nimbostratus rankNimbostratus
    May 01, 2015

    Yes, this is a problem in 2.7.9. 2.7.9 has lots of change regarding how ssl is handle. urllib2 is affected by this and is what suds uses which is a requirement for bigsuds. This should not be a problem if you have valid and verify able cert with a CA chain.

     

  • John_Gruber_432's avatar
    John_Gruber_432
    Historic F5 Account
    Jun 08, 2015

    Your python urllib2 is requiring the use of ssl.context which the old python suds modules does not support. Python suds (which pycontrol uses for SOAP object creation/request marshalling) is not actively being maintained by our friends at RedHat anymore. The recommendation is that you move over to using the python requests modules and the iControl REST API.

    Having said that, we know you can not move to iControl REST in production for BIG-IPs running TMOS earlier then 11.5.0. So it is back to the SOAP interfaces.

    The added security check in the python ssl module is a good thing as it should force us to using non-self signed certificates on our devices. It however can be extremely annoying when you are attempting to use pycontrol to perform device onboarding, thus living with what we ship.

    Have no fear... python patching can come to the rescue. Here is an example of run time patching the python modules in question to add a 'non-valididated' ssl context for use with pycontrol:

    import urllib2

    import ssl from suds import transport from suds.client import Client from suds.xsd.doctor import Import, ImportDoctor from pycontrol import pycontrol

    IMP = Import('http://schemas.xmlsoap.org/soap/encoding/') DOCTOR = ImportDoctor(IMP) ICONTROL_URI = '/iControl/iControlPortal.cgi' SESSION_WSDL = 'System.Session'

    class HTTPSUnVerifiedCertTransport(transport.https.HttpAuthenticated): def __init__(self, *args, **kwargs): transport.https.HttpAuthenticated.__init__(self, *args, **kwargs) def u2handlers(self): handlers = [] handlers.append(urllib2.ProxyHandler(self.proxy)) handlers.append(urllib2.HTTPBasicAuthHandler(self.pm)) python ssl Context support - PEP 0466 if hasattr(ssl, '_create_unverified_context'): ssl_context = ssl._create_unverified_context() handlers.append(urllib2.HTTPSHandler(context=ssl_context)) else: handlers.append(urllib2.HTTPSHandler()) return handlers

    def new_get_suds_client(self, url, **kw): if not url.startswith("https"): t = transport.http.HttpAuthenticated(username=self.username, password=self.password) c = Client(url, transport=t, username=self.username, password=self.password, doctor=DOCTOR, **kw) else: t = HTTPSUnVerifiedCertTransport(username=self.username, password=self.password) c = Client(url, transport=t, username=self.username, password=self.password, doctor=DOCTOR, **kw) return c

    pycontrol.BIGIP._get_suds_client = new_get_suds_client device = pycontrol.BIGIP(hostname='192.168.245.1', username='admin', password='admin', fromurl=True, wsdls=['LocalLB.Pool'])

    Happy iControling..

    John

  • John_Gruber_432's avatar
    John_Gruber_432
    Historic F5 Account
    Jun 08, 2015

    Let's try that again.. I'll stop fighting Dev Central and use an 'acceptable browser'... Here is the code example to runtime patch suds:

     

    import urllib2
import ssl
from suds import transport
from suds.client import Client
from suds.xsd.doctor import Import, ImportDoctor
from pycontrol import pycontrol

IMP = Import('[http://schemas.xmlsoap.org/soap/encoding/](http://schemas.xmlsoap.org/soap/encoding/)')
DOCTOR = ImportDoctor(IMP)
ICONTROL_URI = '/iControl/iControlPortal.cgi'
SESSION_WSDL = 'System.Session'

class HTTPSUnVerifiedCertTransport(transport.https.HttpAuthenticated):
    def __init__(self, *args, **kwargs):
        transport.https.HttpAuthenticated.__init__(self, *args, **kwargs)
    def u2handlers(self):
        handlers = []
        handlers.append(urllib2.ProxyHandler(self.proxy))
        handlers.append(urllib2.HTTPBasicAuthHandler(self.pm))
         python ssl Context support - PEP 0466
        if hasattr(ssl, '_create_unverified_context'):
            ssl_context = ssl._create_unverified_context()
            handlers.append(urllib2.HTTPSHandler(context=ssl_context))
        else:
            handlers.append(urllib2.HTTPSHandler())
        return handlers

def new_get_suds_client(self, url, **kw):
        if not url.startswith("https"):
            t = transport.http.HttpAuthenticated(username=self.username,
                                                 password=self.password)
            c = Client(url, transport=t, username=self.username,
                         password=self.password, doctor=DOCTOR, **kw)
        else:
            t = HTTPSUnVerifiedCertTransport(username=self.username,
                                             password=self.password)
            c = Client(url, transport=t, username=self.username,
                         password=self.password, doctor=DOCTOR, **kw)
        return c

pycontrol.BIGIP._get_suds_client = new_get_suds_client
device = pycontrol.BIGIP(hostname='192.168.245.1', username='admin', password='admin', fromurl=True, wsdls=['LocalLB.Pool'])