help(SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)

[newctech]

Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python3.6/site-packages/pykube/query.py", line 182, in iter
return iter(self.query_cache["objects"])
File "/usr/lib/python3.6/site-packages/pykube/query.py", line 172, in query_cache
cache["response"] = self.execute().json()
File "/usr/lib/python3.6/site-packages/pykube/query.py", line 148, in execute
r = self.api.get(**kwargs)
File "/usr/lib/python3.6/site-packages/pykube/http.py", line 269, in get
return self.session.get(*args, **self.get_kwargs(**kwargs))
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 546, in get
return self.request('GET', url, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.6/site-packages/pykube/http.py", line 135, in send
response = self._do_send(request, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='39.107.214.209', port=6443): Max retries exceeded with url: /api/v1/namespaces/default/pods (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

[hjacobs]

Can you tell us a bit more about your setup? What is your configuration to connect to the cluster (KubeConfig I suppose)?

[twz123]

Running into the same problem when running in cluster using a service account: libssl rejects the API server's certificate for a reason I haven't figured out yet. On the other hand, in the same pod, kubectl just works flawlessly with the given certificate chain / service account.

Maybe openssl s_client -showcerts -connect $KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT -CAfile /run/secrets/kubernetes.io/serviceaccount/ca.crt gives some insights.

[korcky]

@twz123 Recently have the same issue with service account and self-signed certificates, but with older version of pykube==0.15.0 and requests==2.22.0. The problem was with how the pykube makes a request.Session:
in requests==2.22.0 Session() object, by default, have a parameter trust_env = True, which force any request to use only environment certificates which break everything (even when you specify verify parameter in Session()).
Mb it will lead you to something useful.

[zoidyzoidzoid]

I recently had a similar issue when trying out 'kube-web-view', and ended up editing session.verify to be False all over the codebase, which got it working.

[hjacobs]

@korcky @zoidbergwill do you mind doing a PR with a proper fix?

[korcky]

I could try on this weekends, but I doesn't quite familiar with this version of pykube (only worked with previous version that archived by now)