Hi there I have a prefect orion server running in kubernetes Prefect Community #ask-community

Hi there, I have a prefect orion server running i...

Patrick Alves

11/01/2022, 1:45 PM

Hi there, I have a prefect orion server running in kubernetes and I am trying to deploy some flows on it from my local machine. When I run:

❯ PREFECT_API_URL=<https://prefect.xxx.xxx/api> prefect deployment ls

I am getting:

Copy code

File "/home/patrick/miniconda3/envs/prefect/lib/python3.8/ssl.py", line 944, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)
An exception occurred.

• I've tried set envs to disable certificate verification: PYTHONHTTPSVERIFY=false • Tried to add the server certificate (*.xxx.xxx.crt) on the server copying the CRT file

/usr/local/share/ca-certificates/

and update the CA store:

sudo update-ca-certificates

Nothing works. Any tip to solve this?

Patrick Alves

11/01/2022, 2:25 PM

Hi @Kalise Richmond Any tip how to solve this? I am lost ☹️

Kalise Richmond

11/01/2022, 2:30 PM

Hmm 🤔 I have not seen that issue before

👀 1

Patrick Alves

11/01/2022, 2:55 PM

I've disable HTTPS from ingress for now and it worked. But would be great to have a better solution

Nate

11/01/2022, 3:08 PM

Hi @Patrick Alves are you on osx or ubuntu (or something else)?

Patrick Alves

11/01/2022, 3:10 PM

Hi @Nate I am using ubuntu

Nate

11/01/2022, 3:22 PM

ok - personally I've seen some weird ssl issues like this on ubuntu with python 3.8 and above that I've never totally understood one thing you could try quickly is

Copy code

pip install --upgrade certifi

otherwise, I would search someplace like askubuntu - there's likely to be a solution there that'll work for you

Patrick Alves

11/01/2022, 3:25 PM

@Nate I've already tried

certifi

package Anyway, thanks for the help

11/01/2022, 5:52 PM

It's unclear from the traceback what the library that causes the exception is, but prefect uses

httpx

, so you might wanna try setting

SSL_CERT_FILE

SSL_CERT_DIR

instead

Tried to add the server certificate (*.xxx.xxx.crt) on the server copying the CRT file /usr/local/share/ca-certificates/ and update the CA store: sudo update-ca-certificates

IIRC neither

requests

nor

httpx

use your system ca-certs (while e.g. curl does), those libs default to using the certificate bundle distributed via

certifi

, but since

certifi

only ships public ca-certs, while your internal server's cert is likely signed by a local ca, neither

update-ca-certificates

nor updating

certifi

would help.

✅ 1

4 Views

Open in Slack

Previous Next