https://prefect.io logo
#prefect-community
Title
# prefect-community
p

Patrick Alves

11/01/2022, 1:45 PM
Hi there, I have a prefect orion server running in kubernetes and I am trying to deploy some flows on it from my local machine. When I run:
❯ PREFECT_API_URL=<https://prefect.xxx.xxx/api> prefect deployment ls
I am getting:
Copy code
File "/home/patrick/miniconda3/envs/prefect/lib/python3.8/ssl.py", line 944, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)
An exception occurred.
• I've tried set envs to disable certificate verification: PYTHONHTTPSVERIFY=false • Tried to add the server certificate (*.xxx.xxx.crt) on the server copying the CRT file
/usr/local/share/ca-certificates/
and update the CA store:
sudo update-ca-certificates
Nothing works. Any tip to solve this?
Hi @Kalise Richmond Any tip how to solve this? I am lost ☹️
k

Kalise Richmond

11/01/2022, 2:30 PM
Hmm 🤔 I have not seen that issue before
👀 1
p

Patrick Alves

11/01/2022, 2:55 PM
I've disable HTTPS from ingress for now and it worked. But would be great to have a better solution
n

Nate

11/01/2022, 3:08 PM
Hi @Patrick Alves are you on osx or ubuntu (or something else)?
p

Patrick Alves

11/01/2022, 3:10 PM
Hi @Nate I am using ubuntu
n

Nate

11/01/2022, 3:22 PM
ok - personally I've seen some weird ssl issues like this on ubuntu with python 3.8 and above that I've never totally understood one thing you could try quickly is
Copy code
pip install --upgrade certifi
otherwise, I would search someplace like askubuntu - there's likely to be a solution there that'll work for you
p

Patrick Alves

11/01/2022, 3:25 PM
@Nate I've already tried
certifi
package Anyway, thanks for the help
q

Q

11/01/2022, 5:52 PM
It's unclear from the traceback what the library that causes the exception is, but prefect uses
httpx
, so you might wanna try setting
SSL_CERT_FILE
OR
SSL_CERT_DIR
instead
Tried to add the server certificate (*.xxx.xxx.crt) on the server copying the CRT file /usr/local/share/ca-certificates/ and update the CA store: sudo update-ca-certificates
IIRC neither
requests
nor
httpx
use your system ca-certs (while e.g. curl does), those libs default to using the certificate bundle distributed via
certifi
, but since
certifi
only ships public ca-certs, while your internal server's cert is likely signed by a local ca, neither
update-ca-certificates
nor updating
certifi
would help.
1
3 Views