Libravatar (obsolete)

Intermittent SSL verification issues

Bug #1424246 reported by Ralph Bean on 2015-02-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Libravatar (obsolete)	Incomplete	Undecided	Unassigned

Bug Description

It happens pretty frequently. Just try this python script to see for yourself.

"""
Attempt 0
Attempt 1
Attempt 2
Traceback (most recent call last):
  File "test-libravatar.py", line 6, in <module>
    requests.get(url)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 65, in get
    return request('get', url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 49, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 461, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
"""

import requests
url = 'https://seccdn.libravatar.org/avatar/f13d099b8bf99ff3001fa694b438cad2d448d3fd2681a4e87a1e8db5ee4b0d5a'

for i in range(20):
print "Attempt", i
requests.get(url)

Revision history for this message

François Marier (fmarier) wrote on 2015-02-22:

I ran your script (bumped it to 100 attempts) and couldn't reproduce the problem.

Then I took each A record for seccdn.libravatar.org:

seccdn.libravatar.org. 3379 IN A 5.35.241.22
seccdn.libravatar.org. 3379 IN A 166.78.0.128
seccdn.libravatar.org. 3379 IN A 162.242.146.192

and put it in my /etc/hosts before re-running the script to see if any one of these was causing problems. Nope.

So I tried each AAAA record next:

seccdn.libravatar.org. 3202 IN AAAA 2001:4800:7810:512:8a30:6c1b:ff04:50be
seccdn.libravatar.org. 3202 IN AAAA 2001:4800:7816:517:8a30:6c1b:ff04:60cb
seccdn.libravatar.org. 3202 IN AAAA 2a01:488:66:1000:523:f116:0:1

and found that the last one did in fact return an error:

Attempt 0
Traceback (most recent call last):
  File "./libravatar-test", line 7, in <module>
    requests.get(url)
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 52, in get
    return request('get', url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 40, in request
    return s.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 229, in request
    r.send(prefetch=prefetch)
  File "/usr/lib/python2.7/dist-packages/requests/models.py", line 631, in send
    raise SSLError(e)
requests.exceptions.SSLError: hostname 'seccdn.libravatar.org' doesn't match 'mail.cweiske.de'

but that's a different error than what you've got. I wonder whether requests 0.12.1 supports SNI.

Can you confirm that the server you're having problems with is 2a01:488:66:1000:523:f116:0:1 or am I looking at a different problem?

Revision history for this message

Ralph Bean (ralph-bean) wrote on 2015-02-24:

I think we're looking at the same one. I got the ipv4 address of the problem server as 5.35.241.22 (which is in cweiske.de).

Revision history for this message

François Marier (fmarier) wrote on 2017-04-12:

Does this still happen? Even with clients that support SNI?

Changed in libravatar:
status:	New → Incomplete

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.