I am trying to get the contents of a page where only https urls work and it does not have a valid certificate.
import requests
session_requests = requests.session()
result = session_requests.get("some https url")
I am getting the following error:
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
However if i use this:
requests.get('https://url.retail.publishedprices.co.il/login', verify=False)
It works, but i need to do the same kind of thing with the requests.session() since i am logging in.
If you look at the SSLLabs report for this site you will find out that there are several things wrong:
The name in the certificate does not match the name given in the URL. If you try to access this site with a browser you get an error message too.
The trust chain is incomplete and thus cannot be validated. Some browsers might try to download the missing intermediate certificate but others will simply fail here too.
Instead of trying to working around this broken setup I recommend to contact the ones who setup the site so that these serious issues gets fixed. After the fixes no workarounds in your script are needed.
Also, I don't consider disabling the validation as an acceptable workaround in this situation. This is a public accessible site which asks for sensitive data (at least username and password). And this site is explicitly enforcing https.
Related
I am consuming PCC API, There are two way by using different URLs:
https://connect.pointclickcare.com/auth/token
https://connect2.pointclickcare.com/auth/token
Both using same haeder and bodey excpet onre thinh that is 2nd URLs need two SSL Authentication.
I am able to consume with 1st URL.
Now I added client certificate to try to consume 2nd URL, however I am facing error and also two less value are being sent in header(Same Request
parameter is being used I only change URL for both request.)
Error: INCORRECT_PASSWORD
Screenshot is attached.
I finally found the problem, Passphrase was not added for Client Certificate being sent with http request. so I added with passphrase and now it worked fine.
I've just finished creating a Django-React app and have pushed the changes to Heroku. The frontend (JS and CSS) appear on the website no problem, but requests to the backend result in the following error:
[blocked] The page at https://lyrics-chords.herokuapp.com/ was not allowed to display insecure content from http://localhost:8000/auth/user
I've consulted the Internet but no one seems to be getting the same error message. Consulting a friend, it seems as if I have to https secure my backend, and futher researching the subject, it seems that there is no free way to upload a SSL/TSL certificate (reference: heroku: set SSL certificates on Free Plan?). Is there a solution to this?
Silly me, really. Turns out, localhost:8000 refers to the computer of the user. https://lyrics-chords.herokuapp.com/ is the server for both the backend and frontend, so updating the backend end URL calls sufficed.
I get the error on any POST requests (for logging in, or posting data through forms) using Chrome browser. You can try it out at http://52.xx.xx.xxx/users/login. Just use any username / password - should give you:
The change you wanted was rejected.
Here is a snippet of the error from the logs:
W, [2017-07-10T08:40:16.486974 #11349] WARN -- : Can't verify CSRF token authenticity
I, [2017-07-10T08:40:16.487259 #11349] INFO -- : Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms)
D, [2017-07-10T08:40:16.487526 #11349] DEBUG -- : User excluded error: #<ActionController::InvalidAuthenticityToken: ActionController::InvalidAuthenticityToken>
The exact same login request, or other post requests go through on Safari. The site has a self signed certificate. So, I've changed Chrome settings to trust the certificate and accept cookies.
Please suggest what else i should look for and what other logs might be helpful in debugging the issue. I've looked at quite a few SO threads over the past 2 days and couldn't find anything that solved my issue.
Edit:
Removed the IP address to prevent unnecessary traffic to the site.
So i got around the problem by using https instead of http at the start of the URL. As expected, chrome throws up the security related warnings, but adding an exception allows post requests to go through without errors.
Safari was somehow able to redirect my requests(with http or nothing at all) to https because of which it was working. Tried with http on safari and ended up with the same issue.
Marking this as solved - since the original observation doesn't hold anymore. I need to figure how to make the http and non http requests redirect to https on my nginx backend and that should fix the issue.
I've been using WSO2 API Manager 1.9.1 for the past month on a static IP and we liked it enough to put it on Azure behind a full qualified domain name. As we are still only using for internal purposes, we shut the VM down during off hours to save money. Our Azure setup does not guarantee the same IP address each time the VM restarts. The FQDN allows us to always reach https://api.mydomain.com regardless of what happens with the VM IP.
I updated the appropriate config files to the FQDN and everything seems to be working well. However! The one issue I have and cannot seem to resolve is calling APIs from the API consoloe. No matter what I do, I get a response as below
Response Body
no content
Response Code
0
Response Headers
{
"error": "no response from server"
}
Mysteriously, I can successfully make the same calls from command line or SOAPUI. So it's something unique about the API Console. I can't seem to find anything useful in the logs or googling. I do see a recurring error but it's not very clear or even complete (seems to cut off).
[2015-11-17 21:33:21,768] ERROR - AsyncDataPublisher Reconnection failed for
Happy to provide further inputs / info. Any suggestions on root cause or where to look is appreciated. Thanks in advance for your help!
Edit#1 - adding screenshots from chrome
The API Console may not be giving you response due to following issues
If you are using https, you have to type the gateway url in browser and accept it before invoke the API from the API Console (This case there is no signed certificate in the gateway)
CORS issue which may due to your domain is not in access allow origins response of Options call
If you create a API which having https backend. You have to import endpoint SSL certificate to client-trustore.jks
I'm trying to configure cubesviewer and try out the setup.
I've got the app installed running, along with cubes slicer app too.
However, when I visit the home page
http://127.0.0.1:8000/cubesviewer/
it fails popping up an error "Error occurred while accessing the data server"
Debugging with the browser console, shows a http status 403 error with the url http://localhost:8000/cubesviewer/view/list/
After some googling and reading, I figured I'll need to add rest frame auth settings. (as mentioned here.).
Now after running migrate and runserver, I get 401 error on that url.
Clearly I'm missing something with settings.py , Can somebody help me out.
I'm using the cubesviewer tag v0.10 from the github repo.
And find my settings here. http://dpaste.com/2G5VB5K
P.S: I've verified Cubes slicer works separately on its' own.
I have reproduced this. This is error may occur when you use different URL to access a website and to access related resources. For security reasons, browsers allow to access resources from exactly the same host as the page you are viewing.
Seems you are accessing the app via http://127.0.0.1:8000, but you have configured CubesViewer to tell clients to access the data backend via http://localhost:8000. While it's the same IP address, they are different strings.
Try accessing the app as http://localhost:8000.
If you deploy to a different server, you need to adjust settings. Here are the relevant configuration options, now with more comments:
# Base Cubes Server URL.
# Your Cubes Server needs to be running and listening on this URL, and it needs
# to be accessible to clients of the application.
CUBESVIEWER_CUBES_URL="http://localhost:5000"
# CubesViewer Store backend URL. It should point to this application.
# Note that this must match the URL that you use to access the application,
# otherwise you may hit security issues. If you access your server
# via http://localhost:8000, use the same here. Note that 127.0.0.1 and
# 'localhost' are different strings for this purpose. (If you wish to accept
# requests from different URLs, you may need to add CORS support).
CUBESVIEWER_BACKEND_URL="http://localhost:8000/cubesviewer"
Alternatively, you could change CUBESVIEWER_BACKEND_URL to "http://127.0.0.1:8000/cubesviewer" but I recommend you to use hostnames and not IP addresses for this.
Finally, I haven't yet tested with CORS support, but check this pull request if you wish to try that approach.