How to solve SSL - certificate verify failed exception while pact verification, service provider against broker (https broker) using pact-python lib

Question

Facing below error while communicating with https pact broker url, using pact-python lib for contract verification test against broker.

Conn close because of connect error SSL_connect returned=1 errno=0 state=error: certificate verify failed.

I have already installed required certificates on container (Docker environment) where the code is running.

Below is the sample code:

broker_opts():
    return {
        "broker_url": "https://ebpact01.devlab2k.testnet.rim.net:443",
        "publish_verification_results": True
    }

def test_user_service_provider_against_broker(server, broker_opts):
    verifier = Verifier(provider="user@provider", provider_base_url=PROVIDER_URL)

    success, logs = verifier.verify_with_broker(
        **broker_opts,
        verbose=True,
        provider_states_setup_url=f"{PROVIDER_URL}/_pact/provider_states",
        enable_pending=False,
    )

    assert success == 0

Sample Docker file :

FROM python:3.7-slim-buster

COPY ./ .

RUN pwd
RUN pip install --upgrade pip
RUN pip install -r requirements.txt

RUN apt-get update \
    && apt-get install openssl \
    && apt-get install ca-certificates

#Add certificate required to access broker
ADD 'http://certificate-url/Root-CA-1.crt'   $capath/broker-root-ca1.crt
RUN update-ca-certificates

RUN export SSL_CERT_DIR=/etc/ssl/certs
RUN export SSL_CERT_FILE=/etc/ssl/certs/broker-root-ca1.crt

#invokes pytest.main method
CMD ["python3", "./test/invoke_pact_test.py"]

Sample Docker compose file :

  pactverify:
    build:
      context: ../../
      dockerfile: deploy/docker/dockerfile-pact
    image: app-pact:$CI_COMMIT_SHORT_SHA
    environment:
      - PACT_BROKER=$PACT_BROKER

Stack trace :

Error making request - OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: certificate verify failed , attempt 1 of 3 Error making request - OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: certificate verify failed , attempt 2 of 3 Error making request - OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: certificate verify failed , attempt 3 of 3 /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/ruby/lib/ruby/2.2.0/net/http.rb:923:in connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError) from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/ruby/lib/ruby/2.2.0/net/http.rb:923:in block in connect' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/ruby/lib/ruby/2.2.0/timeout.rb:74:in timeout' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/ruby/lib/ruby/2.2.0/net/http.rb:923:in connect' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/ruby/lib/ruby/2.2.0/net/http.rb:863:in do_start' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/ruby/lib/ruby/2.2.0/net/http.rb:852:in start' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-1.62.0/lib/pact/hal/http_client.rb:62:in block in perform_request' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-1.62.0/lib/pact/retry.rb:23:in until_true' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-1.62.0/lib/pact/hal/http_client.rb:50:in perform_request' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-1.62.0/lib/pact/hal/http_client.rb:25:in get' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-1.62.0/lib/pact/hal/link.rb:49:in get' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-1.62.0/lib/pact/pact_broker/fetch_pact_uris_for_verification.rb:57:in index' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-1.62.0/lib/pact/pact_broker/fetch_pact_uris_for_verification.rb:42:in call' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-1.62.0/lib/pact/pact_broker/fetch_pact_uris_for_verification.rb:38:in call' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-1.62.0/lib/pact/pact_broker.rb:18:in fetch_pact_uris_for_verification' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-provider-verifier-1.36.1/lib/pact/provider_verifier/aggregate_pact_configs.rb:46:in pacts_for_verification' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-provider-verifier-1.36.1/lib/pact/provider_verifier/aggregate_pact_configs.rb:39:in pacts_urls_from_broker' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-provider-verifier-1.36.1/lib/pact/provider_verifier/aggregate_pact_configs.rb:26:in call' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-provider-verifier-1.36.1/lib/pact/provider_verifier/aggregate_pact_configs.rb:10:in call' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-provider-verifier-1.36.1/lib/pact/provider_verifier/app.rb:211:in all_pact_urls' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-provider-verifier-1.36.1/lib/pact/provider_verifier/app.rb:225:in warn_empty_pact_set' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-provider-verifier-1.36.1/lib/pact/provider_verifier/app.rb:40:in call' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-provider-verifier-1.36.1/lib/pact/provider_verifier/app.rb:35:in call' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-provider-verifier-1.36.1/lib/pact/provider_verifier/cli/verify.rb:49:in verify' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/thor-1.2.1/lib/thor/command.rb:27:in run' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/thor-1.2.1/lib/thor/invocation.rb:127:in invoke_command' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/thor-1.2.1/lib/thor.rb:392:in dispatch' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/thor-1.2.1/lib/thor/base.rb:485:in start' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/vendor/ruby/2.2.0/gems/pact-provider-verifier-1.36.1/lib/pact/provider_verifier/cli/custom_thor.rb:17:in start' from /usr/local/lib/python3.7/site-packages/pact/bin/pact/lib/app/pact-provider-verifier.rb:33:in ' opening connection to broker.url:443 ... opened starting SSL for broker.url:443 ... SSL established Conn close because of connect error SSL_connect returned=1 errno=0 state=error: certificate verify failed opening connection to broker.url:443 ... opened starting SSL for broker.url:443 ... SSL established Conn close because of connect error SSL_connect returned=1 errno=0 state=error: certificate verify failed opening connection to broker.url:443 ... opened starting SSL for broker.url:443 ... SSL established Conn close because of connect error SSL_connect returned=1 errno=0 state=error: certificate verify failed

Answer 1

Is your self signed certificate?

I would advise reading the below

https://docs.pact.io/pact_broker/advanced_topics/using-tls#connecting-to-a-pact-broker-running-over-tls

and raising an issue on the repo, as well as a repo as a sample.

We hang out over at https://slack.pact.io

Does it work if you disable ssl on the verifier?