https://opendap.larc.nasa.gov certificate error
Posted: Mon Apr 17, 2023 8:01 am America/New_York
Hi,
Using the python request module, I have previously successfully connected to "https://opendap.larc.nasa.gov/opendap/hyrax/CERES/FLASH/TISA/Terra-Aqua_Version4A" without any issues.
However, I noticed today that the connection fails with an ssl error:
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)
Digging into this problem a bit deeper, I found that openssl cannot verify the certificate:
openssl s_client -connect opendap.larc.nasa.gov:443 -showcerts
CONNECTED(00000003)
depth=0 C = US, ST = Virginia, L = Hampton, O = NASA Langley Research Center, CN = opendap.larc.nasa.gov
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Virginia, L = Hampton, O = NASA Langley Research Center, CN = opendap.larc.nasa.gov
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = US, ST = Virginia, L = Hampton, O = NASA Langley Research Center, CN = opendap.larc.nasa.gov
verify return:1
---
Certificate chain
0 s:C = US, ST = Virginia, L = Hampton, O = NASA Langley Research Center, CN = opendap.larc.nasa.gov
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Apr 7 00:00:00 2023 GMT; NotAfter: Apr 26 23:59:59 2024 GMT
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, ST = Virginia, L = Hampton, O = NASA Langley Research Center, CN = opendap.larc.nasa.gov
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2360 bytes and written 451 bytes
Verification error: unable to verify the first certificate
<snip>
Start Time: 1681731578
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Neither Firefox nor Chrome shows that behaviour and once I add the certificate chain as provided by Firefox to my cacert file, my code works again.
Now clearly the certificate was updated recently (07/04/23) so my problem probably started then...
The thing I cannot work out is why both Chrome and Firefox seem to be able to validate the certificate chain but openssl fails (which ultimately causes my python code to fail). The python certifi module which provides the cacert file is the most up-to-date one (2022.12.7) and is based (I believe) on the latest mozilla certificate.txt file.
Any suggestion?
Kind regards,
Steve
Using the python request module, I have previously successfully connected to "https://opendap.larc.nasa.gov/opendap/hyrax/CERES/FLASH/TISA/Terra-Aqua_Version4A" without any issues.
However, I noticed today that the connection fails with an ssl error:
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)
Digging into this problem a bit deeper, I found that openssl cannot verify the certificate:
openssl s_client -connect opendap.larc.nasa.gov:443 -showcerts
CONNECTED(00000003)
depth=0 C = US, ST = Virginia, L = Hampton, O = NASA Langley Research Center, CN = opendap.larc.nasa.gov
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Virginia, L = Hampton, O = NASA Langley Research Center, CN = opendap.larc.nasa.gov
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = US, ST = Virginia, L = Hampton, O = NASA Langley Research Center, CN = opendap.larc.nasa.gov
verify return:1
---
Certificate chain
0 s:C = US, ST = Virginia, L = Hampton, O = NASA Langley Research Center, CN = opendap.larc.nasa.gov
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Apr 7 00:00:00 2023 GMT; NotAfter: Apr 26 23:59:59 2024 GMT
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, ST = Virginia, L = Hampton, O = NASA Langley Research Center, CN = opendap.larc.nasa.gov
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2360 bytes and written 451 bytes
Verification error: unable to verify the first certificate
<snip>
Start Time: 1681731578
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Neither Firefox nor Chrome shows that behaviour and once I add the certificate chain as provided by Firefox to my cacert file, my code works again.
Now clearly the certificate was updated recently (07/04/23) so my problem probably started then...
The thing I cannot work out is why both Chrome and Firefox seem to be able to validate the certificate chain but openssl fails (which ultimately causes my python code to fail). The python certifi module which provides the cacert file is the most up-to-date one (2022.12.7) and is based (I believe) on the latest mozilla certificate.txt file.
Any suggestion?
Kind regards,
Steve