I use bazel to publish docker images to gitlab regitry. Last week, the bazel commands started failing. I was able to narrow down the issue to httplib2.
The code sample below can be used to reproduce the issue.
import httplib
import httplib2
conn = httplib.HTTPSConnection("registry.gitlab.com")
conn.request("GET", "/")
r1 = conn.getresponse()
print r1.status, r1.reason
httplib2.Http().request('https://registry.gitlab.com')
The output for the above is:
200 OK
Traceback (most recent call last):
File "deleteMe.py", line 9, in <module>
httplib2.Http().request('https://registry.gitlab.com')
File "/Users/joint/Library/Python/2.7/lib/python/site-packages/httplib2/__init__.py", line 2135, in request
cachekey,
File "/Users/joint/Library/Python/2.7/lib/python/site-packages/httplib2/__init__.py", line 1796, in _request
conn, request_uri, method, body, headers
File "/Users/joint/Library/Python/2.7/lib/python/site-packages/httplib2/__init__.py", line 1701, in _conn_request
conn.connect()
File "/Users/joint/Library/Python/2.7/lib/python/site-packages/httplib2/__init__.py", line 1411, in connect
raise SSLHandshakeError(e)
httplib2.SSLHandshakeError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)
Error shown in Wireshark is 'Description: Unknown CA (48)'
I have tried verifying the gitlab certs via openssl and I don't see any issue with them.
I have tried specifying the gitlab cert in httplib2 definition but I get the same error.
h = httplib2.Http(ca_certs='./registrygitlabcom.crt')
h.request('https://registry.gitlab.com')
Any pointers on what I should be doing or trying out... thanks!
I think I have figured out the answer. Posting it here for anyone else who might run into this.
The root certificates used by httplib2 are coming from the cacerts.txt file. (https://github.com/httplib2/httplib2/blob/master/python2/httplib2/cacerts.txt)
registry.gitlab.com probably switched the root CA last week and that has triggered the problem.