Running into a bit of confusion regarding SSL verification when using the Python client. I’m assuming there’s just something I don’t understand about the SSL verification process in general.
The short version is: I need to set
ssl=no_verify on my connection string when running from EC2/Ubuntu, but not when running from my Mac.
We’re running Couchbase Enterprise 6.6.2 on a cluster of EC2 instances. We have a self signed cert that the server uses for TLS.
I’m using version 4.0.3 of the python client. I’ve gotten the same results running under Python 3.8, 3.9. and 3.10.
The test I’ve been using is basically just a copy/paste from the getting started guide:
import os from datetime import timedelta from couchbase.auth import PasswordAuthenticator from couchbase.cluster import Cluster from couchbase.options import (ClusterOptions, ClusterTimeoutOptions, QueryOptions) bucket_name = "the_bucket" username = os.environ["CB_USER"] password = os.environ["CB_PASSWORD"] cert_path = os.environ["CB_CERT_PATH"] endpoint = os.environ["CB_URL"] auth = PasswordAuthenticator( username, password, # From couchbase docs: # NOTE: If using SSL/TLS, add the certificate path. # We strongly reccomend this for production use. cert_path=cert_path ) cluster = Cluster(endpoint, ClusterOptions(auth)) cluster.wait_until_ready(timedelta(seconds=10)) print("cluster ready")
Now, this all works great from my Mac laptop (MacOS 10.15.7). I am able to connect with the following CB_URL:
However, if I run this from one of our application servers (EC2/Ubuntu20.04), I need to disable SSL verification by setting the connection string to:
Otherwise, I just get an
I’ve confirmed that all the settings are identical between environments.
The question is: why does disabling ssl verification make it work on Ubuntu? Why does this not need to be done from my Mac?
I thought the process of SSL verification involved verifying the hostname of the cert as well as checking that it’s signed by a trusted authority. Since we are using a self-signed cert, which can’t be verified, I assumed we would need to turn off verification everywhere, but this is not the case on Mac somehow.
Any help would be greatly appreciated. I’m sure there’s something fundamental I’m missing.