https://prefect.io logo
Title
p

Patrick Alves

11/01/2022, 1:45 PM
Hi there, I have a prefect orion server running in kubernetes and I am trying to deploy some flows on it from my local machine. When I run:
❯ PREFECT_API_URL=<https://prefect.xxx.xxx/api> prefect deployment ls
I am getting:
File "/home/patrick/miniconda3/envs/prefect/lib/python3.8/ssl.py", line 944, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)
An exception occurred.
• I've tried set envs to disable certificate verification: PYTHONHTTPSVERIFY=false • Tried to add the server certificate (*.xxx.xxx.crt) on the server copying the CRT file
/usr/local/share/ca-certificates/
and update the CA store:
sudo update-ca-certificates
Nothing works. Any tip to solve this?
Hi @Kalise Richmond Any tip how to solve this? I am lost ☹️
k

Kalise Richmond

11/01/2022, 2:30 PM
Hmm 🤔 I have not seen that issue before
👀 1
p

Patrick Alves

11/01/2022, 2:55 PM
I've disable HTTPS from ingress for now and it worked. But would be great to have a better solution
n

Nate

11/01/2022, 3:08 PM
Hi @Patrick Alves are you on osx or ubuntu (or something else)?
p

Patrick Alves

11/01/2022, 3:10 PM
Hi @Nate I am using ubuntu
n

Nate

11/01/2022, 3:22 PM
ok - personally I've seen some weird ssl issues like this on ubuntu with python 3.8 and above that I've never totally understood one thing you could try quickly is
pip install --upgrade certifi
otherwise, I would search someplace like askubuntu - there's likely to be a solution there that'll work for you
p

Patrick Alves

11/01/2022, 3:25 PM
@Nate I've already tried
certifi
package Anyway, thanks for the help
q

Q

11/01/2022, 5:52 PM
It's unclear from the traceback what the library that causes the exception is, but prefect uses
httpx
, so you might wanna try setting
SSL_CERT_FILE
OR
SSL_CERT_DIR
instead
Tried to add the server certificate (*.xxx.xxx.crt) on the server copying the CRT file /usr/local/share/ca-certificates/ and update the CA store: sudo update-ca-certificates
IIRC neither
requests
nor
httpx
use your system ca-certs (while e.g. curl does), those libs default to using the certificate bundle distributed via
certifi
, but since
certifi
only ships public ca-certs, while your internal server's cert is likely signed by a local ca, neither
update-ca-certificates
nor updating
certifi
would help.
1