Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SSL: CERTIFICATE_VERIFY_FAILED] during "Fixing up serial ports" #74

Open
bradfaas opened this issue Mar 6, 2018 · 1 comment
Open

[SSL: CERTIFICATE_VERIFY_FAILED] during "Fixing up serial ports" #74

bradfaas opened this issue Mar 6, 2018 · 1 comment
Labels
bug help wanted

Comments

@bradfaas
Copy link

bradfaas commented Mar 6, 2018

When using cot on a system with python 2.7.13 and openssl 1.1.0f-3+deb9u1 I receive the following error message when deploying a Cisco CSR1000v:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

The appliance deploys successfully via cot / ovftool, and then cot begins the "Fixing up serial ports on deployed VM..." -- that's when the error message appears.

This same process works fine on another system with python 2.7.4 and openssl 1.0.1e. Google searches on this indicate that other python developers have hit similar snags with various combinations of python and openssl versions, although I'm not entirely clear on what the fix is. :) I don't have an option to downgrade openssl or python on the new system, so I'm hoping this is an easy code tweak...

This is the full command I'm using:
/usr/local/bin/cot -v -f deploy csr1000v-universalk9.16.06.01-4nics.ova.tmp.ova esxi vc1exc02m.c4e-internal.c4e.ops/Net20-EXC02m/host/MGMT-20XC2EXC02-CL1/vm01cl1vc1ag1exc02m.c4e-internal.c4e.ops -u '[email protected]' -p 'xxxxxxxx' -n "cr120XC2" -d 'EXC02_NTNX-DSF_CL1STD_1' -N "GigabitEthernet3=vl91dvs1lg1ag1EXC02m" -N "GigabitEthernet1=vl2dvs1lg1ag1EXC02m" -N "GigabitEthernet2=vl11dvs1lg1ag1EXC02m" -N "GigabitEthernet4=tr2dvs1lg1ag1_transit_vlans_EXC02m" -S "telnet://:7501,server" -o="--noSSLVerify --acceptAllEulas"

Any insight or suggestions are most appreciated.
@bradfaas
Copy link
Author

I did a little digging, and the problem seems to be that with whatever 'current' version of Requests/ SmartConnect / openssl / etc. (again, I'm not a python developer), the Exception raised is no longer "vim.fault.HostConnectFault".

I changed "deploy_esxi.py" as follows:

OLD, starting on line 82:
try:
return super(SmarterConnection, self).enter()
except vim.fault.HostConnectFault as exc:
NEW:
try:
return super(SmarterConnection, self).enter()
except Exception as exc:

I'm sure this isn't the best way to handle, but it got around the error I was having and allowed me to deploy my appliance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@glennmatthews @bradfaas