Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl error when connecting self-signed url (happned right after client >= 4.7.0) #1226

Open
Alansyf opened this issue Jul 30, 2024 · 1 comment
Open

ssl error when connecting self-signed url (happned right after client >= 4.7.0) #1226

Alansyf opened this issue Jul 30, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@Alansyf
Copy link

Alansyf commented Jul 30, 2024
edited
Loading

Our weaviate db exposed with nginx ingress, site https://myweb.com is a company self-signed URL.
To access it, it use following piece of code and was working fine till 4.6.7.

os.environ["GRPC_DEFAULT_SSL_ROOTS_FILE_PATH"] = "/home/jovyan/cert.crt"
os.environ["SSL_CERT_FILE"] = "/home/jovyan/cert.crt"

client = weaviate.connect_to_custom(
http_host="myweb.com",
http_port=443,
http_secure=True,
grpc_host="myweb.com",
grpc_port=443,
grpc_secure=True,
auth_credentials=weaviate.auth.AuthApiKey(id_token),
additional_config=weaviate.config.AdditionalConfig(
startup_period=10,
timeout=(5, 15)
),
)
client.connect()

When we use 4.7.0, it breaks, it always saying:

File /opt/conda/lib/python3.11/site-packages/anyio/streams/tls.py:133, in TLSStream._call_sslobject_method(self, func, *args)
    131 while True:
    132     try:
--> 133         result = func(*args)
    134     except ssl.SSLWantReadError:
    135         try:
    136             # Flush any pending writes first

File /opt/conda/lib/python3.11/ssl.py:979, in SSLObject.do_handshake(self)
    977 def do_handshake(self):
    978     """Start the SSL/TLS handshake."""
--> 979     self._sslobj.do_handshake()

SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)

We have to use fixed version 4.6.7, can you help check here?
@tsmith023
Copy link
Contributor

tsmith023 commented Jul 30, 2024
edited
Loading

Hi @Alansyf, it would seem that there is a subtle change in how the underlying grpc C implementation handles SSL certificates between the sync (grpc) and async (grpc.aio) modules
Now that the connection used by the client is fully async, this issue is raising its head!

I think the general solution here, from researching others' issues, is to allow users to specify the SSL certs in their client configuration. The client will then handle piping these to the respective httpx and grpc.aio connections. I will look into this in the coming days and release a patch fix once complete! Thanks for the report 😁

@tsmith023 tsmith023 added the bug Something isn't working label Jul 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Alansyf @tsmith023