SSL Errors when running "Test your install"

3147
7
01-04-2017 05:57 PM
VishalPahuja1
New Contributor

I am following instructions from Install and Set Up | ArcGIS for Developers and I believe I have it installed correctly. Note that I am in a very secured environment and such.

When I try to run the "Hello World" type of test, it fails with following error. I have tried updating the following based on 

SSL verification error on Windows · Issue #494 · ContinuumIO/anaconda-issues · GitHub but in vain.

  1. In .condarc, set the following

    • ssl_verify: False
      Note that this DISABLES verification of SSL certificiates.
      You can accomplish this with the following command
     conda config --set ssl_verify False
  2. Upgrade openssl and cryptography:
    conda update openssl cryptography

  3. Update certifi:
    conda update certifi

  4. Re-enable SSL verification by removing the ssl_verify line from .condarc

How can move forward and resolve this issue....?


---------------------------------------------------------------------------
SSLError Traceback (most recent call last)
D:\Program Files (x86)\Anaconda3\lib\urllib\request.py in do_open(self, http_class, req, **http_conn_args)
1253 try:
-> 1254 h.request(req.get_method(), req.selector, req.data, headers)
1255 except OSError as err: # timeout error

D:\Program Files (x86)\Anaconda3\lib\http\client.py in request(self, method, url, body, headers)
1105 """Send a complete request to the server."""
-> 1106 self._send_request(method, url, body, headers)
1107

D:\Program Files (x86)\Anaconda3\lib\http\client.py in _send_request(self, method, url, body, headers)
1150 body = _encode(body, 'body')
-> 1151 self.endheaders(body)
1152

D:\Program Files (x86)\Anaconda3\lib\http\client.py in endheaders(self, message_body)
1101 raise CannotSendHeader()
-> 1102 self._send_output(message_body)
1103

D:\Program Files (x86)\Anaconda3\lib\http\client.py in _send_output(self, message_body)
933
--> 934 self.send(msg)
935 if message_body is not None:

D:\Program Files (x86)\Anaconda3\lib\http\client.py in send(self, data)
876 if self.auto_open:
--> 877 self.connect()
878 else:

D:\Program Files (x86)\Anaconda3\lib\http\client.py in connect(self)
1259 self.sock = self._context.wrap_socket(self.sock,
-> 1260 server_hostname=server_hostname)
1261 if not self._context.check_hostname and self._check_hostname:

D:\Program Files (x86)\Anaconda3\lib\ssl.py in wrap_socket(self, sock, server_side, do_handshake_on_connect, suppress_ragged_eofs, server_hostname)
376 server_hostname=server_hostname,
--> 377 _context=self)
378

D:\Program Files (x86)\Anaconda3\lib\ssl.py in __init__(self, sock, keyfile, certfile, server_side, cert_reqs, ssl_version, ca_certs, do_handshake_on_connect, family, type, proto, fileno, suppress_ragged_eofs, npn_protocols, ciphers, server_hostname, _context)
751 raise ValueError("do_handshake_on_connect should not be specified for non-blocking sockets")
--> 752 self.do_handshake()
753

D:\Program Files (x86)\Anaconda3\lib\ssl.py in do_handshake(self, block)
987 self.settimeout(None)
--> 988 self._sslobj.do_handshake()
989 finally:

D:\Program Files (x86)\Anaconda3\lib\ssl.py in do_handshake(self)
632 """Start the SSL/TLS handshake."""
--> 633 self._sslobj.do_handshake()
634 if self.context.check_hostname:

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

URLError Traceback (most recent call last)
<ipython-input-1-9d37624d78f7> in <module>()
1 from arcgis.gis import GIS
----> 2 my_gis = GIS()
3 my_gis.map()

D:\Program Files (x86)\Anaconda3\lib\site-packages\arcgis\gis.py in __init__(self, url, username, password, key_file, cert_file, verify_cert, set_active)
91 self._datastores_list = None
92 self._portal = portalpy.Portal(self._url, self._username, self._password, self._key_file, self._cert_file,
---> 93 verify_cert=self._verify_cert)
94
95 if self._url.lower() == "pro":

D:\Program Files (x86)\Anaconda3\lib\site-packages\arcgis\_impl\portalpy.py in __init__(self, url, username, password, key_file, cert_file, expiration, referer, proxy_host, proxy_port, connection, workdir, tokenurl, verify_cert)
157 proxy_host=proxy_host,
158 proxy_port=proxy_port,
--> 159 verify_cert=verify_cert)
160 #self.get_version(True)
161 self.get_properties(True)

D:\Program Files (x86)\Anaconda3\lib\site-packages\arcgis\_impl\connection.py in __init__(self, baseurl, tokenurl, username, password, key_file, cert_file, expiration, all_ssl, referer, proxy_host, proxy_port, connection, verify_cert)
272
273 if cert_file is None and key_file is None:
--> 274 self.login(username, password, expiration)
275
276 #----------------------------------------------------------------------

D:\Program Files (x86)\Anaconda3\lib\site-packages\arcgis\_impl\connection.py in login(self, username, password, expiration)
422 self._token = newtoken
423
--> 424 resp = self.post('', { 'f': 'json' }, add_token=False) # probe portal to find auth scheme
425 # if basic, digest, NTLM or Kerberos, etc is being used
426 # except handler will catch it and set self._auth appropriately

D:\Program Files (x86)\Anaconda3\lib\site-packages\arcgis\_impl\connection.py in post(self, path, postdata, files, ssl, compress, is_retry, use_ordered_dict, add_token, verify_cert, token)
917 opener.addheaders = headers
918 #print("***"+url)
--> 919 resp = opener.open(url, data=encoded_postdata.encode())
920 resp_data, is_file = self._process_response(resp)
921

D:\Program Files (x86)\Anaconda3\lib\urllib\request.py in open(self, fullurl, data, timeout)
464 req = meth(req)
465
--> 466 response = self._open(req, data)
467
468 # post-process response

D:\Program Files (x86)\Anaconda3\lib\urllib\request.py in _open(self, req, data)
482 protocol = req.type
483 result = self._call_chain(self.handle_open, protocol, protocol +
--> 484 '_open', req)
485 if result:
486 return result

D:\Program Files (x86)\Anaconda3\lib\urllib\request.py in _call_chain(self, chain, kind, meth_name, *args)
442 for handler in handlers:
443 func = getattr(handler, meth_name)
--> 444 result = func(*args)
445 if result is not None:
446 return result

D:\Program Files (x86)\Anaconda3\lib\urllib\request.py in https_open(self, req)
1295 def https_open(self, req):
1296 return self.do_open(http.client.HTTPSConnection, req,
-> 1297 context=self._context, check_hostname=self._check_hostname)
1298
1299 https_request = AbstractHTTPHandler.do_request_

D:\Program Files (x86)\Anaconda3\lib\urllib\request.py in do_open(self, http_class, req, **http_conn_args)
1254 h.request(req.get_method(), req.selector, req.data, headers)
1255 except OSError as err: # timeout error
-> 1256 raise URLError(err)
1257 r = h.getresponse()
1258 except:

URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)>

Tags (3)
0 Kudos
7 Replies
RohitSingh2
Esri Contributor

Hi Vishal,

To skip verification of certificate when connecting to your GIS, set the verify_cert parameter to False:

# Connect to the GIS
gis = GIS("https://your.gis.com/portal", "username", "password", verify_cert=False)

Hope this helps,

Rohit

VishalPahuja1
New Contributor

Hi Rohit,

Thanks for your quick reply and pointer, I tried the suggestion but I am still not able to get the map to show up. I am using following code:

from arcgis.gis import GIS
my_gis = GIS("http://pgegisportal.maps.arcgis.com/", "v1p3_pgegisportal", "*********", verify_cert=False)
my_gis.map()

I also tried

from arcgis.gis import GIS
my_gis = GIS("http://pgegisportal.maps.arcgis.com/home", "v1p3_pgegisportal", "*********", verify_cert=False)
my_gis.map()

Note that I am not using portal, but arcgis organizational account. The behaviour is different however; I am not getting error....but I never see the map either.

NOTE: I am noobie in Python NOtebook, Conda, Jupyter.

0 Kudos
VishalPahuja1
New Contributor

After I closed the notebook, I still saw "Running" in the jupyter dashboard. So I deleted that notebook. I created a new notebook and tried to run the same code again...I get following in the browser javascropt console:

Refresh the page to see messages that may have occurred before the F12 tools were opened.

Session: kernel_created (da298c90-1f8b-44a5-9129-a7649815e891)

Starting WebSockets:ws://localhost:8888/api/kernels/067401e9-3888-4d24-b956-71ceeccc95b8

Loading extension: jupyter-js-widgets/extension

Loading extension: arcgis/mapview

loaded map widget

Loading extension: nbpresent/js/nbpresent.min

Loading extension: nb_anacondacloud/main

loaded widgets

Loading extension: nb_conda/main

Kernel: kernel_connected (067401e9-3888-4d24-b956-71ceeccc95b8)

Kernel: kernel_ready (067401e9-3888-4d24-b956-71ceeccc95b8)

Widget backend and frontend versions are compatible

Widget backend and frontend versions are compatible

SCRIPT7002: XMLHttpRequest: Network Error 0x2ef3, Could not complete the operation due to error 00002ef3.
Untitled.ipynb

RequestError: Unable to load https://pgegisportal.maps.arcgis.com/sharing/rest/generateToken status: 0

0 Kudos
RohitSingh2
Esri Contributor

Hi Vishal,

I think you've correctly narrowed down the cause of the map widget not showing to this error.

I'm not sure why you're getting this error but it seems it is IE specific. Can you retry using Chrome or Firefox?

You mentioned that you're in a 'very secured environment'. Is that environment causing other files to not load? What is this secured environment? Connecting to arcgis online should not be causing an SSL Certificate verification environment, so I'm wondering why you get that error in the first place when the SSL certificate of  arcgis online and your online org (https://pgegisportal.maps.arcgis.com/) is valid. We need to resolve that problem first as that is likely causing these other errors.

Thanks,

Rohit

VishalPahuja1
New Contributor

Rohit

I am working on getting Chrome and Firefox installed on this server but in the meanwhile I want to think out loud. On this server, when I try to access https://pgegisportal.maps.arcgis.com, I get a warning that this site is not secured. I think this is becuase the the CRL (Certificate Revocation List) URL is NOT accessible from the server. Thats what I mean from "secure environment". We had to get exception to get arcgis.com accessible but it looks like CRL is from digicert which probably is not accessible from this server:

URL=http://crl3.digicert.com/sha2-ha-server-g5.crl

WHen I access my org portal from this server, I see the URL is NOT secure as it is not able to verify it....but having said that, if and when we give parameter verify_cert to be false, I am not sure why it is still not working!!! I think that might be bug in the API. There has to be a way for API to not check digicert CRL in my opinion. Can you try in your environment to prevent traffic to CRL?

I have a screenshot I can share...may be I will email it to you directly. Thanks for your help on this. Regards

0 Kudos
RohitSingh2
Esri Contributor

Hi Vishal,

There are two problems in your 'secured' network environment:

1) certificate verification problem when connecting to the GIS

2) map widget not working

Problem 1 : Adding verify_cert=False when constructing GIS object works around the SSL verification problem, and the rest of the ArcGIS Python API (except for the map widget) should work.

Problem 2: I'm expecting that you'll get better results (or errors) using Chrome, so can you try it out in Chrome and update with the results there? We need to figure out if there is a problem loading any javascript file in your environment that is causing this error. Checking the Network tab in Chrome developer console can reveal such issues.

Thanks,

Rohit

0 Kudos
VishalPahuja1
New Contributor

Just to close this thread...I upgraded the api to the latest version today and now I am able to "test my install" succesfully. Thanks

0 Kudos