SSL Error when creating Jail

[thejamesk]

Hi, When I try to create a new Jail I get the following error. Anyone know how to fix this?

SSLError​

HTTPSConnectionPool(host='www.freebsd.org', port=443): Max retries exceeded with url: /security/unsupported.html (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')])")))


Error: Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py", line 485, in wrap_socket
cnx.do_handshake()
File "/usr/local/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1915, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/usr/local/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1647, in _raise_ssl_error
_raise_current_error()
File "/usr/local/lib/python3.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 672, in urlopen
chunked=chunked,
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 394, in connect
ssl_context=context,
File "/usr/local/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/local/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py", line 491, in wrap_socket
raise ssl.SSLError("bad handshake: %r" % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')])",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 720, in urlopen
method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
File "/usr/local/lib/python3.7/site-packages/urllib3/util/retry.py", line 436, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='www.freebsd.org', port=443): Max retries exceeded with url: /security/unsupported.html (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')])")))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 130, in call_method
io_thread=False)
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1098, in _call
return await run_method(methodobj, *args)
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1022, in _run_in_conn_threadpool
return await self.run_in_executor(self.__ws_threadpool, method, *args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1010, in run_in_executor
return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
File "/usr/local/lib/python3.7/concurrent/futures/thread.py", line 57, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 965, in nf
return f(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/jail.py", line 674, in releases_choices
choices = {str(k): str(k) for k in ListableReleases(remote=remote)}
File "/usr/local/lib/python3.7/site-packages/iocage_lib/release.py", line 46, in __init__
self.eol_list = IOCFetch.__fetch_eol_check__()
File "/usr/local/lib/python3.7/site-packages/iocage_lib/ioc_fetch.py", line 114, in __fetch_eol_check__
req = requests.get(_eol)
File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 75, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 60, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.7/site-packages/raven/breadcrumbs.py", line 341, in send
resp = real_send(self, request, *args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='www.freebsd.org', port=443): Max retries exceeded with url: /security/unsupported.html (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')])")))

 

[kfritz]

I just ran into the same error here. Running FreeNAS-11.3-U5. Does anyone have any suggestions?

 

[Samuel Tai]

The site just renewed their certificate. The old one was probably past its validity date. The new certificate became valid on 12/11/2021.

 

[danb35]

The old one was probably past its validity date.

I doubt it. The likely issue is what @jgreco describes here:

SSL certificate problem: certificate has expired -- the OpenSSL 1.0.2 vs LetsEncrypt issue

Posted in response to a staff request, this is intended to help answer the "certificate is expired" issues. SSL underpins most network session security on the Internet. Historically, this was implemented with self-signed certificates (a bad idea), or through commercial certificate authorities...

www.truenas.com

...and the ultimate (and likely only) solution is "upgrade to TrueNAS 12."

 

[kfritz]

Thanks danb35 -- that thread has the answer deep in the thread. The problem is python packages with their own CA certs. I went ahead and edited all of the files matching:

Code:

% find /usr/local/lib/python3.7/site-packages/ -type f -name "cacert.pem"
/usr/local/lib/python3.7/site-packages/pip/_vendor/certifi/cacert.pem
/usr/local/lib/python3.7/site-packages/certifi/cacert.pem
/usr/local/lib/python3.7/site-packages/botocore/cacert.pem
/usr/local/lib/python3.7/site-packages/botocore/vendored/requests/cacert.pem
/usr/local/lib/python3.7/site-packages/raven/data/cacert.pem

and removed the "DST Root CA X3" from each. This got me past the error for now. Agree that the ultimate solution is to upgrade.

 

[jbabco]

Thanks danb35 -- that thread has the answer deep in the thread. The problem is python packages with their own CA certs. I went ahead and edited all of the files matching:

Code:

% find /usr/local/lib/python3.7/site-packages/ -type f -name "cacert.pem"
/usr/local/lib/python3.7/site-packages/pip/_vendor/certifi/cacert.pem
/usr/local/lib/python3.7/site-packages/certifi/cacert.pem
/usr/local/lib/python3.7/site-packages/botocore/cacert.pem
/usr/local/lib/python3.7/site-packages/botocore/vendored/requests/cacert.pem
/usr/local/lib/python3.7/site-packages/raven/data/cacert.pem

and removed the "DST Root CA X3" from each. This got me past the error for now. Agree that the ultimate solution is to upgrade.

You, sir, are a godsend.

 

[Joe Gorse]

This should be a script. Here is the beginning. Back the pem files up first.

Code:

cmd='cp "$1" "$1".old'
find /usr/local/lib/python3.7/site-packages -type f -name "cacert.pem" -exec sh -c "$cmd" _ignored {} \;

The relevant sections were between 25 and 30 lines.

I just updated to TrueNAS 12. If I am going to play, it will be more rewarding with supported software. Cheers.

 

[danb35]

I just updated to TrueNAS 12. If I am going to play, it will be more rewarding with supported software.

TrueNAS 12 is no longer supported; the only version of CORE currently supported is 13.