[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

[krowvin]

Our internal servers require a .pem file be included for requests.

This is done via the REQUESTS_CA_BUNDLE environment variable set in our .bashrc environment for use with cwms-python's requests module.

Propose we do something like this in the TLS1Connection and/or switch to using requests and/or #24.

The following worked for me as a holdover to allow me to connect to the internal server using repgen5:

repgen/util/urllib2_tls.py

class TLS1Connection(httplib.HTTPSConnection):
    """Like HTTPSConnection but more specific"""
    def __init__(self, host, **kwargs):
        httplib.HTTPSConnection.__init__(self, host, **kwargs)
        # Take advantage of the requestsCA env var
        self.cert_file = os.getenv("REQUESTS_CA_BUNDLE", None)

    def connect(self):
        """Overrides HTTPSConnection.connect to specify TLS version"""
        sock = socket.create_connection((self.host, self.port), self.timeout, self.source_address)
        if getattr(self, '_tunnel_host', None):
            self.sock = sock
            self._tunnel()

        # Custom SSL context
        context = ssl.create_default_context(cafile=self.cert_file)

        # Force TLS1.2 only
        context.minimum_version = ssl.TLSVersion.TLSv1_2

        # Wrap socket
        self.sock = context.wrap_socket(sock, server_hostname=self.host)

[DanielTOsborne]

Yeah, I'm thinking it might be good to switch to requests too.
I don't want to go to cwms-python at this point, because of the numpy dependencies, but requests is fine.

Your code looks fine otherwise though.

[MikeNeilson]

I thought cwms-python was setup to not require numpy?

Or was it just that you can bypass numpy and get the json directly?

[MikeNeilson]

I just looked, sadly no.

[Enovotny]

what is the issue with having the pandas dependencies? the batch images that I assume repgen would be running on will have pandas and numpy installed.