Page MenuHomePhabricator
Create Task
Maniphest T70794

pywikibot uses incorrect domain for https certificate
Closed, ResolvedPublic
Actions

Description

Author: ian

Description:
Running a simple pywikibot script gives error that my server has an invalid certificate, then it retries, and seems to ignore that issue and succeeds.

In the error, it reports the certificate for a different domain that my server also hosts, probably because either 1. it is the domain used for reverse dns, or 2. it is the domain which my server redirects to for urls containing the ip address.

Pywikibot should get the certificate for the domain I configured it to use. Here is the error output.

ERROR: Traceback (most recent call last):

File "/root/opt/pywikibot/pywikibot/data/api.py", line 298, in submit
  body=paramstring)
File "/root/opt/pywikibot/pywikibot/comms/http.py", line 174, in request
  raise request.data

CertificateHostnameMismatch: Server presented certificate that does not match host ofswiki.org: {'notAfter': 'May 23 20:21:24 2015 GMT', 'subjectAltName': (('DNS', 'www.iankelling.org'), ('DNS', 'iankelling.org')), 'subject': ((('description', u'0NEmhfbNSxh2R2RF'),), (('countryName', u'US'),), (('commonName', u'www.iankelling.org'),), (('emailAddress', u'REDACTED-AT-iankelling.org'),))}

Version: core-(2.0)
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=65189
https://github.com/jcgregorio/httplib2/issues/243

Details

Reference
bz68794

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:31 AM
bzimport added projects: Pywikibot-General, Upstream.
bzimport set Reference to bz68794.
bzimport added a subscriber: Unknown Object (????).
bzimport created this task.Jul 29 2014, 8:14 AM
jayvdb added a comment.Sep 9 2014, 7:37 AM

I can reproduce this with a custom family file I created for ofswiki (thank you for reporting which wiki this occurred on)

The core problem is that httplib2https://github.com/jcgregorio/httplib2 complains about this.

$ python

import httplib2
httplib2.version

'0.9'

httplib2.Http().request('https://ofswiki.org/')

Traceback (most recent call last):

File "<console>", line 1, in <module>
File ".../httplib2/__init__.py", line 1593, in request
  (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File ".../httplib2/__init__.py", line 1335, in _request
  (response, content) = self._conn_request(conn, request_uri, method, body, headers)
File ".../httplib2/__init__.py", line 1257, in _conn_request
  conn.connect()
File ".../httplib2/__init__.py", line 1032, in connect
  'host %s: %s' % (hostname, cert), hostname, cert)

CertificateHostnameMismatch: Server presented certificate that does not match host ofswiki.org: {'notAfter': 'May 23 20:21:24 2015 GMT', 'subjectAltName': (('DNS', 'www.iankelling.org'), ('DNS', 'iankelling.org')), 'subject': ((('description', u'0NEmhfbNSxh2R2RF'),), (('countryName', u'US'),), (('commonName', u'www.iankelling.org'),), (('emailAddress', u'REDACTED-AT-iankelling.org'),))}

compare that with httplib2.Http().request('https://en.wikipedia.org/')

And this works like a charm:

httplib2.Http(disable_ssl_certificate_validation=True).request('https://ofswiki.org/')

The fact that it only checks the SSL certificate once is reported here:

https://github.com/jcgregorio/httplib2/issues/243

I cant quickly see an issue related to the certificate problem you are experiencing.
https://github.com/jcgregorio/httplib2/issues
If you can find it, or create a new issue, add it to our related URLs.

bzimport added a comment.Sep 9 2014, 8:06 AM

ian wrote:

Thank you John. I will investigate and report it upstream to httplib2 and add the bug url to the related URLs.

gerritbot added a comment.Sep 13 2014, 4:27 AM

Change 160189 had a related patch set uploaded by John Vandenberg:
Add ability to ignore SSL certificate errors

https://gerrit.wikimedia.org/r/160189

gerritbot added a comment.Sep 13 2014, 10:54 PM

Change 160189 merged by jenkins-bot:
Add ability to ignore SSL certificate errors

https://gerrit.wikimedia.org/r/160189

jayvdb added a comment.Sep 17 2014, 10:54 AM

Ian, you may now add 'def ignore_certificate_error: return True' to your family file to tell httplib2 to not verify the ssl certificate for that family. Please re-open if it doesnt work, but also drop in a note if httplib2 has fixed the problem on their side.

Aklapper added a project: Pywikibot.Nov 27 2014, 4:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL