Last modified: 2014-09-17 10:54:28 UTC
Running a simple pywikibot script gives error that my server has an invalid certificate, then it retries, and seems to ignore that issue and succeeds. In the error, it reports the certificate for a different domain that my server also hosts, probably because either 1. it is the domain used for reverse dns, or 2. it is the domain which my server redirects to for urls containing the ip address. Pywikibot should get the certificate for the domain I configured it to use. Here is the error output. ERROR: Traceback (most recent call last): File "/root/opt/pywikibot/pywikibot/data/api.py", line 298, in submit body=paramstring) File "/root/opt/pywikibot/pywikibot/comms/http.py", line 174, in request raise request.data CertificateHostnameMismatch: Server presented certificate that does not match host ofswiki.org: {'notAfter': 'May 23 20:21:24 2015 GMT', 'subjectAltName': (('DNS', 'www.iankelling.org'), ('DNS', 'iankelling.org')), 'subject': ((('description', u'0NEmhfbNSxh2R2RF'),), (('countryName', u'US'),), (('commonName', u'www.iankelling.org'),), (('emailAddress', u'REDACTED-AT-iankelling.org'),))}
I can reproduce this with a custom family file I created for ofswiki (thank you for reporting which wiki this occurred on) The core problem is that httplib2<https://github.com/jcgregorio/httplib2> complains about this. $ python >>> import httplib2 >>> httplib2.__version__ '0.9' >>> httplib2.Http().request('https://ofswiki.org/') Traceback (most recent call last): File "<console>", line 1, in <module> File ".../httplib2/__init__.py", line 1593, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey) File ".../httplib2/__init__.py", line 1335, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers) File ".../httplib2/__init__.py", line 1257, in _conn_request conn.connect() File ".../httplib2/__init__.py", line 1032, in connect 'host %s: %s' % (hostname, cert), hostname, cert) CertificateHostnameMismatch: Server presented certificate that does not match host ofswiki.org: {'notAfter': 'May 23 20:21:24 2015 GMT', 'subjectAltName': (('DNS', 'www.iankelling.org'), ('DNS', 'iankelling.org')), 'subject': ((('description', u'0NEmhfbNSxh2R2RF'),), (('countryName', u'US'),), (('commonName', u'www.iankelling.org'),), (('emailAddress', u'REDACTED-AT-iankelling.org'),))} compare that with httplib2.Http().request('https://en.wikipedia.org/') And this works like a charm: >>> httplib2.Http(disable_ssl_certificate_validation=True).request('https://ofswiki.org/') The fact that it only checks the SSL certificate once is reported here: https://github.com/jcgregorio/httplib2/issues/243 I cant quickly see an issue related to the certificate problem you are experiencing. https://github.com/jcgregorio/httplib2/issues If you can find it, or create a new issue, add it to our related URLs.
Thank you John. I will investigate and report it upstream to httplib2 and add the bug url to the related URLs.
Change 160189 had a related patch set uploaded by John Vandenberg: Add ability to ignore SSL certificate errors https://gerrit.wikimedia.org/r/160189
Change 160189 merged by jenkins-bot: Add ability to ignore SSL certificate errors https://gerrit.wikimedia.org/r/160189
Ian, you may now add 'def ignore_certificate_error: return True' to your family file to tell httplib2 to not verify the ssl certificate for that family. Please re-open if it doesnt work, but also drop in a note if httplib2 has fixed the problem on their side.
