SSL: CERTIFICATE_VERIFY_FAILED

[Tomnl]

When using a Galaxy instance that is not secure, is it possible to ignore SSL certificate verification?

e.g. with bioblend the following parameters can be set

gi = bioblend.galaxy.GalaxyInstance(url, api_key)
gi.verify = False

Otherwise I get the following error when trying to install

failed: [galaxy-dev] (item={'name': 'column_maker', 'owner': 'devteam', 'tool_panel_section_id': 'textutil'}) => {"changed": false, "cmd": ["/tmp/venv/bin/shed-tools", "install", "-y", "name: column_maker\nowner: devteam\ntool_panel_section_id: textutil\n", "-a", "7f72a11757132ffbf31de35a59ead848", "-g", "https://metabolomics-dev.galaxy.bham.ac.uk/"], "delta": "0:00:00.274420", "end": "2018-05-02 11:40:32.412191", "failed_when_result": true, "item": {"name": "column_maker", "owner": "devteam", "tool_panel_section_id": "textutil"}, "msg": "non-zero return code", "rc": 1, "start": "2018-05-02 11:40:32.137771", "stderr": "Traceback (most recent call last):\n  File \"/tmp/venv/bin/shed-tools\", line 11, in <module>\n    sys.exit(main())\n  File \"/tmp/venv/local/lib/python2.7/site-packages/ephemeris/shed_tools.py\", line 744, in main\n    install_tool_manager.install_repositories()\n  File \"/tmp/venv/local/lib/python2.7/site-packages/ephemeris/shed_tools.py\", line 558, in install_repositories\n    installed_repositories_list = installed_repository_revisions(self.gi)  # installed tools list\n  File \"/tmp/venv/local/lib/python2.7/site-packages/ephemeris/shed_tools.py\", line 157, in installed_repository_revisions\n    installed_repositories_list = tool_shed_client.get_repositories()\n  File \"/tmp/venv/local/lib/python2.7/site-packages/bioblend/galaxy/toolshed/__init__.py\", line 36, in get_repositories\n    return self._get()\n  File \"/tmp/venv/local/lib/python2.7/site-packages/bioblend/galaxy/client.py\", line 136, in _get\n    status_code=r.status_code)\nbioblend.ConnectionError: HTTPSConnectionPool(host='metabolomics-dev.galaxy.bham.ac.uk', port=443): Max retries exceeded with url: /api/tool_shed_repositories?key=7f72a11757132ffbf31de35a59ead848 (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),)), 0 attempts left: ", "stderr_lines": ["Traceback (most recent call last):", "  File \"/tmp/venv/bin/shed-tools\", line 11, in <module>", "    sys.exit(main())", "  File \"/tmp/venv/local/lib/python2.7/site-packages/ephemeris/shed_tools.py\", line 744, in main", "    install_tool_manager.install_repositories()", "  File \"/tmp/venv/local/lib/python2.7/site-packages/ephemeris/shed_tools.py\", line 558, in install_repositories", "    installed_repositories_list = installed_repository_revisions(self.gi)  # installed tools list", "  File \"/tmp/venv/local/lib/python2.7/site-packages/ephemeris/shed_tools.py\", line 157, in installed_repository_revisions", "    installed_repositories_list = tool_shed_client.get_repositories()", "  File \"/tmp/venv/local/lib/python2.7/site-packages/bioblend/galaxy/toolshed/__init__.py\", line 36, in get_repositories", "    return self._get()", "  File \"/tmp/venv/local/lib/python2.7/site-packages/bioblend/galaxy/client.py\", line 136, in _get", "    status_code=r.status_code)", "bioblend.ConnectionError: HTTPSConnectionPool(host='metabolomics-dev.galaxy.bham.ac.uk', port=443): Max retries exceeded with url: /api/tool_shed_repositories?key=7f72a11757132ffbf31de35a59ead848 (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),)), 0 attempts left: "], "stdout": "", "stdout_lines": []

[lecorguille]

We have the same issue on our dev instances which don't have proper SSL certificats (but behind a VPN)
So far, we find a trick but using the Galaxy server directly and not the nginx url (if uwsgi is setted with http://0.0.0.0:8080)

[bifxcore]

@lecorguille I do not understand what your 'trick' is. Can you explain exactly what you did? (OK en francais si c'est plus facile, I'm happy to translate your answer).

[lecorguille]

This trick is to not use a socket but an url for thé communication between uwsgi and nginx. Than use the galaxu url directely instead of the nginx one.
Not a big deal

[bifxcore]

Thanks @lecorguille but I am not a UNIX sysadmin, I am just running galaxy locally out of the box in dev mode. Please can you give more precise instructions? What file(s) do I need to change and what lines should be edited with what command?
my galaxy.yml has currently:

uwsgi:
  # The address and port on which to listen.  By default, only listen to
  # localhost (galaxy will not be accessible over the network).  Use
  # ':8080' to listen on all available network interfaces.
  http: 127.0.0.1:8080

[nuwang]

@bifxcore If you're running a local dev instance, in general, there should be no SSL issue since local dev mode is http by default, not https. Can you provide more details?

[martenson]

Toolshed is on https, so when you are trying to communicate with it and are unable to verify SSL you'll get this.

[nuwang]

@martenson Is this a custom toolshed? The main toolshed has a valid certificate right?

[martenson]

iiuc this is not an issue on the server side, this is local system not being able to verify it

[dnbenso]

I know this an old issue but thought I'd give an answer. On the client side if you are using a python virtualenv then your probably using the cert located in your venv under lib/python3.6/site-packages/certifi/cacert.pem or whatever your python version is. Otherwise you are probably using the cert in /etc/ssl/certs/ca-certificates.crt.

#!/usr/bin/env python3
import urllib3
import sys
import certifi
http = urllib3.PoolManager(cert_reqs='CERT_REQUIRED', ca_certs=certifi.where())
print (certifi.where())

Code might help to identify which cert you are using.