[英]AWS IOT Data: CERTIFICATE_VERIFY_FAILED
I run test scripts for AWS IOT in a bitbucket pipeline using python + boto3我使用 python + boto3 在 bitbucket 管道中运行 AWS IOT 的测试脚本
It worked fine until recently, now i get the following error:直到最近它工作正常,现在我收到以下错误:
Traceback (most recent call last):
File "/localDebugRepo/tests/aws/test_iot_api.py", line 119, in test_set_get_owner
self.iot_util.set_owner(owner, self.test_thing)
File "/localDebugRepo/aws/iot_api.py", line 176, in set_owner
self.iot_data.update_thing_shadow(thingName=thing, payload=payload)
File "/usr/local/lib/python3.6/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.6/site-packages/botocore/client.py", line 663, in _make_api_call
operation_model, request_dict, request_context)
File "/usr/local/lib/python3.6/site-packages/botocore/client.py", line 682, in _make_request
return self._endpoint.make_request(operation_model, request_dict)
File "/usr/local/lib/python3.6/site-packages/botocore/endpoint.py", line 102, in make_request
return self._send_request(request_dict, operation_model)
File "/usr/local/lib/python3.6/site-packages/botocore/endpoint.py", line 137, in _send_request
success_response, exception):
File "/usr/local/lib/python3.6/site-packages/botocore/endpoint.py", line 256, in _needs_retry
caught_exception=caught_exception, request_dict=request_dict)
File "/usr/local/lib/python3.6/site-packages/botocore/hooks.py", line 356, in emit
return self._emitter.emit(aliased_event_name, **kwargs)
File "/usr/local/lib/python3.6/site-packages/botocore/hooks.py", line 228, in emit
return self._emit(event_name, kwargs)
File "/usr/local/lib/python3.6/site-packages/botocore/hooks.py", line 211, in _emit
response = handler(**kwargs)
File "/usr/local/lib/python3.6/site-packages/botocore/retryhandler.py", line 183, in __call__
if self._checker(attempts, response, caught_exception):
File "/usr/local/lib/python3.6/site-packages/botocore/retryhandler.py", line 251, in __call__
caught_exception)
File "/usr/local/lib/python3.6/site-packages/botocore/retryhandler.py", line 277, in _should_retry
return self._checker(attempt_number, response, caught_exception)
File "/usr/local/lib/python3.6/site-packages/botocore/retryhandler.py", line 317, in __call__
caught_exception)
File "/usr/local/lib/python3.6/site-packages/botocore/retryhandler.py", line 223, in __call__
attempt_number, caught_exception)
File "/usr/local/lib/python3.6/site-packages/botocore/retryhandler.py", line 359, in _check_caught_exception
raise caught_exception
File "/usr/local/lib/python3.6/site-packages/botocore/endpoint.py", line 200, in _do_get_response
http_response = self._send(request)
File "/usr/local/lib/python3.6/site-packages/botocore/endpoint.py", line 269, in _send
return self.http_session.send(request)
File "/usr/local/lib/python3.6/site-packages/botocore/httpsession.py", line 281, in send
raise SSLError(endpoint_url=request.url, error=e)
botocore.exceptions.SSLError: SSL validation failed for https://data.iot.eu-central-1.amazonaws.com/things/thing-unittest/shadow [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)
While I cannot reproduce this on my local system, reproducing the error with the default python:3.6.4 docker image is successful indicating that there might be an invalid certificate.虽然我无法在我的本地系统上重现此错误,但使用默认 python:3.6.4 docker 图像重现错误成功表明可能存在无效证书。
Intrestingly, running the following command in pipeline is succesfull: openssl s_client -connect data.iot.eu-central-1.amazonaws.com:443有趣的是,在管道中运行以下命令是成功的:openssl s_client -connect data.iot.eu-central-1.amazonaws.com:443
root@f30a34330be5:/localDebugRepo# openssl s_client -connect data.iot.eu-central-1.amazonaws.com:443
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = *.iot.eu-central-1.amazonaws.com
verify return:1
140686038922896:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.eu-central-1.amazonaws.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
any advice on how can i debug this further would be greatly apreciated任何关于我如何进一步调试它的建议将不胜感激
It would appear that AWS has bad certs for the last several hours.在过去的几个小时里,AWS 的证书似乎很糟糕。 I do not subscribe to a support tier, so I don't know how to tell them.我没有订阅支持层,所以我不知道如何告诉他们。 I am getting the same problem;我遇到了同样的问题; boto3 reports that bad cert (which you can verify in a browser). boto3 报告错误的证书(您可以在浏览器中验证)。
All of my IoT functions are affected, though if I run it locally (not as a lambda), it seems to work.我的所有物联网功能都会受到影响,但如果我在本地运行它(而不是作为 lambda),它似乎可以工作。
Perhaps someone has a way to tell Amazon their little problem?也许有人有办法告诉亚马逊他们的小问题?
Edit:编辑:
See: https://forums.aws.amazon.com/thread.jspa?messageID=967311󬊏 and https://github.com/boto/boto3/issues/2686 for the fix.有关修复,请参阅: https://forums.aws.amazon.com/thread.jspa?messageID=967311󬊏和https://github.com/boto/boto3/issues/2686 。 You shouldn't use the defaults for creating your dataplane client, because certifi (python) has been fixed to ignore the Symantec CA for the URL, and Amazon isn't going to fix it.您不应该使用默认值来创建数据平面客户端,因为 certifi (python) 已修复为忽略 URL 的 Symantec CA,而 Amazon 不会修复它。
The solution pointed out by Eric Lyons did not worked for me directly. Eric Lyons指出的解决方案并没有直接为我工作。 The problem was with the endpoint provided by:问题出在以下提供的端点上:
iot_client = boto3.client("iot", region_name=os.getenv("IOT_REGION"))
iot_client.describe_endpoint(endpointType="iot:Data-ATS").get("endpointAddress")
It fails during authentication:它在身份验证期间失败:
I fixed it by getting the endpoint directly from the IOT-Core settings page:我通过直接从 IOT-Core 设置页面获取端点来修复它:
client('iot-data',
aws_access_key_id = '<MY ACCESS KEY>',
aws_secret_access_key = '<MY ACCESS SECRET KEY>',
endpoint_url = '<MY ENDPOINT>');
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.