Passing cert parameter gives SSL error

[pi19404]

when using client certificate downloaded as part of client config zip file from hashicorp cloud console and passing the same to consul give error

host="consul-cluster.consul.AAAAAAAA.aws.hashicorp.cloud"
token="XXXXXX"
scheme="https"
port="443"
verify=True
cert="/home/r2_user1/Downloads/consul/ca.pem"

print("consul host is ", host, token, port, scheme)
cc:consul.Consul=consul.Consul(host=host,token=token,port=port,scheme=scheme,cert=cert)
cc.kv.put('foo', 'bar')

Below is SSL error encounted , without the certs parameter the calls work properly

consul host is consul-cluster.consul.AAAAA.aws.hashicorp.cloud 69d69bed-f849-947d-f75c-a1edc16468e1 443 https
taking a lock <consul.std.Consul object at 0x7f8de4782950>
Traceback (most recent call last):
File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/urllib3/connectionpool.py", line 706, in urlopen
chunked=chunked,
File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/urllib3/connectionpool.py", line 382, in _make_request
self._validate_conn(conn)
File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/urllib3/connectionpool.py", line 1010, in validate_conn
conn.connect()
File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/urllib3/connection.py", line 421, in connect
tls_in_tls=tls_in_tls,
File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/urllib3/util/ssl.py", line 397, in ssl_wrap_socket
context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [SSL] PEM lib (_ssl.c:3932)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/urllib3/connectionpool.py", line 756, in urlopen
method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/urllib3/util/retry.py", line 574, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='consul-cluster.consul.AAAAAAAA.aws.hashicorp.cloud', port=443): Max retries exceeded with url: /v1/kv/foo?token=XXXXXXXXXX (Caused by SSLError(SSLError(9, '[SSL] PEM lib (_ssl.c:3932)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "../consul_lib/test_consul.py", line 27, in
cc.kv.put('foo', 'bar')
File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/consul/base.py", line 623, in put
CB.json(), '/v1/kv/%s' % key, params=params, data=value)
File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/consul/std.py", line 28, in put
cert=self.cert)))
File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/requests/sessions.py", line 602, in put
return self.request('PUT', url, data=data, **kwargs)
File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/home/r2_user1/jv/notification_framework/build/python_workspace/lib/python3.7/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='consul-cluster.consul.AAAAAA.aws.hashicorp.cloud', port=443): Max retries exceeded with url: /v1/kv/foo?token=XXXXXXXXX (Caused by SSLError(SSLError(9, '[SSL] PEM lib (_ssl.c:3932)')))

[jmgilman]

Can confirm that I am seeing the same thing. Setting verify to False in the client configuration does resolve the issue - so it's something related to validating the CA. I have everything configured through environment variables and the consul CLI tool can interact with the cluster with no problems so this issue is somewhere on the Python side.

[jmgilman]

Dug through a ton of code/documentation since I was having issues not only with this library but also with the community Ansible module since it relies on it. In my case the problem was the verify parameter wants the path to the public CA certificate for validation. I was confused by this initially because the Ansible module passes True as the default value which made me assume this was a boolean parameter.

Once I set verify to the path to the CA certificate I was able to use the library as normal.

I filed a bug to fix the Ansible documentation. The documentation for this library isn't any better - it seems there needs to be two parameters: one that actually determines if validation is performed and one that specifies the certificate to use for validation. It would also be helpful to use the default CONSUL_CACERT environment variable as it appears that's not currently the case.