ssl.SSLError: [SSL] PEM lib (_ssl.c:3845)

Elastic Stack Elasticsearch
1

The following function execution throws an error. The same command in bash works like a charm.

def set_kibana_password():
headers = {"Content-Type": "application/json"}
payload = {"password": os.getenv('ELASTIC_PASSWORD')}
response = requests.put(
    url='https://localhost:9200/_xpack/security/user/kibana/_password',
    auth=HTTPBasicAuth('elastic', os.getenv('ELASTIC_PASSWORD')),
    cert='/certs/ca/ca.crt',
    headers=headers,
    data=payload
)
logging.info(str(response))

The output:

DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): localhost:9200
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 343, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 839, in _validate_conn
    conn.connect()
  File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 344, in connect
    ssl_context=context)
  File "/usr/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 335, in ssl_wrap_socket
    context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [SSL] PEM lib (_ssl.c:3845)

Bash:

curl -u elastic:$ELASTIC_PASSWORD -X PUT -H 'Content-Type: application/json' \
  --cacert /certs/ca/ca.crt \
  'https://localhost:9200/_xpack/security/user/kibana/_password' \
  -d '{ "password": "$ELASTIC_PASSWORD" }'
2

Hi,

You are using a wrong parameter with python-requests. The cert parameter is for passing in a client certificate to do authentication, and when you do that you also need to pass the respective private key ( which you don't and this is why urllib3 throws an error )

What you should be passing instead is the verify parameter that controls the CA certificates that are used to verify the server certificates and is the logical equivalent of using --cacert in curl. See https://requests.kennethreitz.org/en/master/user/advanced/#ssl-cert-verification for more details.

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.