https://bugzilla.wikimedia.org/show_bug.cgi?id=68794
Bug ID: 68794 Summary: pywikibot uses incorrect domain for https certificate Product: Pywikibot Version: core (2.0) Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: Unprioritized Component: General Assignee: Pywikipedia-bugs@lists.wikimedia.org Reporter: ian@iankelling.org Web browser: --- Mobile Platform: ---
Running a simple pywikibot script gives error that my server has an invalid certificate, then it retries, and seems to ignore that issue and succeeds.
In the error, it reports the certificate for a different domain that my server also hosts, probably because either 1. it is the domain used for reverse dns, or 2. it is the domain which my server redirects to for urls containing the ip address.
Pywikibot should get the certificate for the domain I configured it to use. Here is the error output.
ERROR: Traceback (most recent call last): File "/root/opt/pywikibot/pywikibot/data/api.py", line 298, in submit body=paramstring) File "/root/opt/pywikibot/pywikibot/comms/http.py", line 174, in request raise request.data CertificateHostnameMismatch: Server presented certificate that does not match host ofswiki.org: {'notAfter': 'May 23 20:21:24 2015 GMT', 'subjectAltName': (('DNS', 'www.iankelling.org'), ('DNS', 'iankelling.org')), 'subject': ((('description', u'0NEmhfbNSxh2R2RF'),), (('countryName', u'US'),), (('commonName', u'www.iankelling.org'),), (('emailAddress', u'REDACTED-AT-iankelling.org'),))}
https://bugzilla.wikimedia.org/show_bug.cgi?id=68794
John Mark Vandenberg jayvdb@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jayvdb@gmail.com See Also| |https://bugzilla.wikimedia. | |org/show_bug.cgi?id=65189
https://bugzilla.wikimedia.org/show_bug.cgi?id=68794
John Mark Vandenberg jayvdb@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |upstream Status|UNCONFIRMED |NEW See Also| |https://github.com/jcgregor | |io/httplib2/issues/243 Ever confirmed|0 |1
--- Comment #1 from John Mark Vandenberg jayvdb@gmail.com --- I can reproduce this with a custom family file I created for ofswiki (thank you for reporting which wiki this occurred on)
The core problem is that httplib2https://github.com/jcgregorio/httplib2 complains about this.
$ python
import httplib2 httplib2.__version__
'0.9'
httplib2.Http().request('https://ofswiki.org/')
Traceback (most recent call last): File "<console>", line 1, in <module> File ".../httplib2/__init__.py", line 1593, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey) File ".../httplib2/__init__.py", line 1335, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers) File ".../httplib2/__init__.py", line 1257, in _conn_request conn.connect() File ".../httplib2/__init__.py", line 1032, in connect 'host %s: %s' % (hostname, cert), hostname, cert) CertificateHostnameMismatch: Server presented certificate that does not match host ofswiki.org: {'notAfter': 'May 23 20:21:24 2015 GMT', 'subjectAltName': (('DNS', 'www.iankelling.org'), ('DNS', 'iankelling.org')), 'subject': ((('description', u'0NEmhfbNSxh2R2RF'),), (('countryName', u'US'),), (('commonName', u'www.iankelling.org'),), (('emailAddress', u'REDACTED-AT-iankelling.org'),))}
compare that with httplib2.Http().request('https://en.wikipedia.org/')
And this works like a charm:
httplib2.Http(disable_ssl_certificate_validation=True).request('https://ofswiki.org/')
The fact that it only checks the SSL certificate once is reported here:
https://github.com/jcgregorio/httplib2/issues/243
I cant quickly see an issue related to the certificate problem you are experiencing. https://github.com/jcgregorio/httplib2/issues If you can find it, or create a new issue, add it to our related URLs.
https://bugzilla.wikimedia.org/show_bug.cgi?id=68794
--- Comment #2 from Ian Kelling ian@iankelling.org --- Thank you John. I will investigate and report it upstream to httplib2 and add the bug url to the related URLs.
https://bugzilla.wikimedia.org/show_bug.cgi?id=68794
--- Comment #3 from Gerrit Notification Bot gerritadmin@wikimedia.org --- Change 160189 had a related patch set uploaded by John Vandenberg: Add ability to ignore SSL certificate errors
https://gerrit.wikimedia.org/r/160189
https://bugzilla.wikimedia.org/show_bug.cgi?id=68794
Gerrit Notification Bot gerritadmin@wikimedia.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |PATCH_TO_REVIEW
https://bugzilla.wikimedia.org/show_bug.cgi?id=68794
--- Comment #4 from Gerrit Notification Bot gerritadmin@wikimedia.org --- Change 160189 merged by jenkins-bot: Add ability to ignore SSL certificate errors
https://gerrit.wikimedia.org/r/160189
https://bugzilla.wikimedia.org/show_bug.cgi?id=68794
John Mark Vandenberg jayvdb@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|PATCH_TO_REVIEW |RESOLVED Resolution|--- |FIXED
--- Comment #5 from John Mark Vandenberg jayvdb@gmail.com --- Ian, you may now add 'def ignore_certificate_error: return True' to your family file to tell httplib2 to not verify the ssl certificate for that family. Please re-open if it doesnt work, but also drop in a note if httplib2 has fixed the problem on their side.
pywikipedia-bugs@lists.wikimedia.org