How to Fix the Side Effect caused by New SSL Cert on HydroShare

How to Fix the Side Effect caused by New SSL Cert on HydroShare Revisions: March 18, 2021; Zhiyu/Drew Li; zhiyul@illinois.edu Symptoms: Jupyter Hub fails in OAuth handshaking with HydroShare “HTTP 599: server certificate verification failed. CAfile: none CRLfile: none” hs_restclient fails to authenticate requests.exceptions.SSLError: HTTPSConnectionPool(host='www.hydroshare.org', port=443): Max retries exceeded with url: /hsapi/userInfo/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)'))) Cause: HydroShare deployed a new SSL cert on March 17, 202. It is based on off a new CA, which is NOT included in the latest “ca-certificates” package (CA Bundle) on Ubuntu 18.04 and 20.04 as of this writing (other Linux distribution may also be affected). Remedy: Manually add this new CA into the CA Bundle on all clients that might need to talk to HydroShare. Download the new CA cert: Go to HydroShare keybase and download: star_hydroshare_org_124173627DigiCertCA.crt Go to https://www.digicert.com/kb/digicert-root-certificates.htm, search for “GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1” and download PEM format. For Hub Dockerfile: USER root # get latest ca-bundle RUN apt-get update && apt-get install -y ca-certificates # load hydroshare new ca to image COPY ./star_hydroshare_org_124173627DigiCertCA.crt /usr/local/share/ca-certificates/star_hydroshare_org_124173627DigiCertCA.crt # update ca-bundle RUN update-ca-certificates For different conda envs in Dockerfile: #Append new HydroShare CA to cacert.pem in Base conda env RUN cat ./star_hydroshare_org_124173627DigiCertCA.crt >> /opt/conda/lib/python<VERSION>/site-packages/certifi/cacert.pem # Append new HydroShare CA to user-created conda env RUN cat ./star_hydroshare_org_124173627DigiCertCA.crt >> /opt/conda/envs/<ENV_NAME>/lib/python<VERSION>/site-packages/certifi/cacert.pem References: https://incognitjoe.github.io/adding-certs-to-requests.html https://www.techrepublic.com/article/how-to-install-ca-certificates-in-ubuntu-server/

如何修复 HydroShare 上新 SSL 证书引起的副作用 修订记录： 2021年3月18日；李志宇/德鲁·李；zhiyul@illinois.edu 症状： Jupyter Hub 在与 HydroShare 进行 OAuth 握手时失败 “HTTP 599: 服务器证书验证失败。CAfile: none CRLfile: none” hs_restclient 无法进行身份验证 requests.exceptions.SSLError: HTTPSConnectionPool(host='www.hydroshare.org', port=443): 最大重试次数超出，URL: /hsapi/userInfo/（由 SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] 证书验证失败：无法获取本地发行者证书 (_ssl.c:1091)')）引起） 原因： HydroShare 于 2021 年 3 月 17 日部署了新的 SSL 证书。该证书基于新的证书颁发机构（CA），而截至撰写本文时，该证书尚未包含在 Ubuntu 18.04 和 20.04 的最新“ca-certificates”软件包（CA 套件）中（其他 Linux 发行版也可能受到影响）。 解决方案： 手动将此新的 CA 添加到所有可能需要与 HydroShare 通信的客户端的 CA 套件中。 下载新的 CA 证书： 前往 HydroShare keybase 并下载：star_hydroshare_org_124173627DigiCertCA.crt 前往 https://www.digicert.com/kb/digicert-root-certificates.htm，搜索“GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1”并下载 PEM 格式。 对于 Hub Dockerfile： USER root # 获取最新的 ca-bundle RUN apt-get update && apt-get install -y ca-certificates # 将 hydroshare 的新 CA 加载到镜像中 COPY ./star_hydroshare_org_124173627DigiCertCA.crt /usr/local/share/ca-certificates/star_hydroshare_org_124173627DigiCertCA.crt # 更新 ca-bundle RUN update-ca-certificates 对于 Dockerfile 中的不同 conda 环境： # 将新的 HydroShare CA 追加到 Base conda 环境中的 cacert.pem RUN cat ./star_hydroshare_org_124173627DigiCertCA.crt >> /opt/conda/lib/python<VERSION>/site-packages/certifi/cacert.pem # 将新的 HydroShare CA 追加到用户创建的 conda 环境中 RUN cat ./star_hydroshare_org_124173627DigiCertCA.crt >> /opt/conda/envs/<ENV_NAME>/lib/python<VERSION>/site-packages/certifi/cacert.pem 参考文献： https://incognitjoe.github.io/adding-certs-to-requests.html https://www.techrepublic.com/article/how-to-install-ca-certificates-in-ubuntu-server/