jupyter notebook stop SSL error

Question

I'm running a jupyter notebook inside an ubuntu 16.04 docker container, as a non-root user, with SSL configured via a .pem file. My issue is, I can't perform the jupyter notebook stop $port command to stop the running server.

I start the notebook by executing sudo HOME=/home/seiji -u seiji jupyter notebook to change the HOME environment variable (which is chown'd as seiji).

I can perform the usual jupyter notebook list command by running it as the user ( seiji ) and feeding in the JUPYTER_RUNTIME_DIR environment variable where jupyter looks for json files containing server info. For example: sudo JUPYTER_RUNTIME_DIR=/jupyter/runtime -u seiji jupyter notebook list correctly returns: https://localhost:8888/:: /jupyter/notebooks (I specify the runtime dir in the config file in the usual way).

My issue is, I can't figure out how to execute jupyter notebook stop 8888 in a similar way. If I run it as is, it runs as root and tells me There are no running servers . If I run it as user:seiji , I run into SSL issues. As in:

> sudo JUPYTER_RUNTIME_DIR=/jupyter/runtime -u seiji jupyter notebook stop 8888 

returns an error. It begins: Shutting down server on port 8888... but then prints the following:

SSL Error on 10 ('::1', 8888, 0, 0): [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

My guess is that it tries a 'http' address to access the server instead of 'https', but I can't figure out how to change this.

I've also tried passing the environment variable JUPYTER_CONFIG_DIR which contains the config file listing the location of the .pem file with the line c.NotebookApp.certfile = u'/jupyter/certs/mycert.pem' . I've also tried explicitly feeding in the location of the cert when running from cmdline with --certfile=[location] but it seems this is ignored. Does anyone have any ideas?

Answer 1

This can happen if your certificate cannot be verified by whichever SSL libraries are used by Jupyter (I think the details have changed a bit over time). This is common if there certificate is self-signed - the default certificate stores may not be able to verify your issuer. I currently do something like this with my Jupyter setup script:

cat mycert.crt | openssl x509 -inform DER >> "$(python -c 'import certifi; print(certifi.where())')"

I believe if you already have the certificate in PEM form then you only need:

cat mycert.pem >> "$(python -c 'import certifi; print(certifi.where())')"

and then start it like this:

SSL_CERT_FILE=$(python -c 'import certifi; print(certifi.where())') jupyter notebook &

and stop similarly:

SSL_CERT_FILE=$(python -c 'import certifi; print(certifi.where())') jupyter notebook stop

The reason I use the certifi location and environment variable is that certifi appears to be the most-favoured package, and the environment setting appears to be respected by other libraries (including requests and built-in SSL modules).

The reason to also start the server with this updated file is so that notebooks can themselves connect to the server (eg for introspection).