starred/asciinema
1
0
Fork 0
mirror of https://github.com/asciinema/asciinema.git synced 2026-04-25 07:55:51 +03:00
Code Issues 8 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #402] Self signed SSL error #861

New issue
Closed
opened 2026-03-15 10:46:26 +03:00 by kerem · 2 comments
kerem commented 2026-03-15 10:46:26 +03:00
Owner
Copy link

Originally created by @gfvirga on GitHub (Mar 30, 2020).
Original GitHub issue: https://github.com/asciinema/asciinema/issues/402

Hello, using asciinema command line does not seem to use the SSL certificate from ubuntu trust store.
My company does not allow http to be opened for a fix.

user@LT-5CG9057HBW:~$ asciinema --version
asciinema 2.0.2
user@LT-5CG9057HBW:~/.asciinema$ asciinema upload /tmp/tmpxrbrgj4c-ascii.cast
asciinema: upload failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>
asciinema: retry later by running: asciinema upload /tmp/tmpxrbrgj4c-ascii.cast

Curl works without ignoring SSL

user@LT-5CG9057HBW:~/.asciinema$ curl --http1.1 -v -u gfelixvirga:$(cat ~/.asciinema/install-id) https://asciinema.apps.company.com/api/asciicasts -F asciicast=@/tmp/tmpxrbrgj4c-ascii.cast
*   Trying 10.18.143.104...
* TCP_NODELAY set
* Connected to asciinema.apps.company.com (10.18.143.104) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=NY; L=Amherst; O=Company; OU=Openshift; CN=apps.company.com
*  start date: Sep 23 17:22:17 2019 GMT
*  expire date: Sep 22 17:22:17 2022 GMT
*  subjectAltName: host "asciinema.apps.company.com" matched cert's "*.apps.company.com"
*  issuer: O=Company Corporation; CN=M and T Enterprise General Purpose Issuing CA 3
*  SSL certificate verify ok.
* Server auth using Basic with user 'gfelixvirga'
> POST /api/asciicasts HTTP/1.1
> Host: asciinema.apps.company.com
> Authorization: Basic Z2ZlbGl4dmlyZ2E6MTUwMjQxZWYtOTcwNi00M2U1LWE3Y2EtYjVjNTY4Mjk2ZWM2
> User-Agent: curl/7.58.0
> Accept: */*
> Content-Length: 4893
> Content-Type: multipart/form-data; boundary=------------------------09feb1a6a23ef63b
> Expect: 100-continue
> 
< HTTP/1.1 100 Continue
< HTTP/1.1 201 Created
< server: Cowboy
< date: Mon, 30 Mar 2020 15:57:35 GMT
< content-length: 70
< content-type: text/plain; charset=utf-8
< cache-control: max-age=0, private, must-revalidate
< x-request-id: 2o0i07ct9eilc51qlk000351
< location: https://asciinema.apps.company.com/a/2
< Set-Cookie: 41f813967c59c21e5fde4e671a64972e=ac842cfb17b5f23ec614851f3a297990; path=/; HttpOnly; Secure
< 
View the recording at:

    https://asciinema.apps.company.com/a/2
* Connection #0 to host asciinema.apps.company.com left intact
Originally created by @gfvirga on GitHub (Mar 30, 2020). Original GitHub issue: https://github.com/asciinema/asciinema/issues/402 Hello, using asciinema command line does not seem to use the SSL certificate from ubuntu trust store. My company does not allow http to be opened for a fix. ``` user@LT-5CG9057HBW:~$ asciinema --version asciinema 2.0.2 user@LT-5CG9057HBW:~/.asciinema$ asciinema upload /tmp/tmpxrbrgj4c-ascii.cast asciinema: upload failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)> asciinema: retry later by running: asciinema upload /tmp/tmpxrbrgj4c-ascii.cast ``` Curl works without ignoring SSL ``` user@LT-5CG9057HBW:~/.asciinema$ curl --http1.1 -v -u gfelixvirga:$(cat ~/.asciinema/install-id) https://asciinema.apps.company.com/api/asciicasts -F asciicast=@/tmp/tmpxrbrgj4c-ascii.cast * Trying 10.18.143.104... * TCP_NODELAY set * Connected to asciinema.apps.company.com (10.18.143.104) port 443 (#0) * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server did not agree to a protocol * Server certificate: * subject: C=US; ST=NY; L=Amherst; O=Company; OU=Openshift; CN=apps.company.com * start date: Sep 23 17:22:17 2019 GMT * expire date: Sep 22 17:22:17 2022 GMT * subjectAltName: host "asciinema.apps.company.com" matched cert's "*.apps.company.com" * issuer: O=Company Corporation; CN=M and T Enterprise General Purpose Issuing CA 3 * SSL certificate verify ok. * Server auth using Basic with user 'gfelixvirga' > POST /api/asciicasts HTTP/1.1 > Host: asciinema.apps.company.com > Authorization: Basic Z2ZlbGl4dmlyZ2E6MTUwMjQxZWYtOTcwNi00M2U1LWE3Y2EtYjVjNTY4Mjk2ZWM2 > User-Agent: curl/7.58.0 > Accept: */* > Content-Length: 4893 > Content-Type: multipart/form-data; boundary=------------------------09feb1a6a23ef63b > Expect: 100-continue > < HTTP/1.1 100 Continue < HTTP/1.1 201 Created < server: Cowboy < date: Mon, 30 Mar 2020 15:57:35 GMT < content-length: 70 < content-type: text/plain; charset=utf-8 < cache-control: max-age=0, private, must-revalidate < x-request-id: 2o0i07ct9eilc51qlk000351 < location: https://asciinema.apps.company.com/a/2 < Set-Cookie: 41f813967c59c21e5fde4e671a64972e=ac842cfb17b5f23ec614851f3a297990; path=/; HttpOnly; Secure < View the recording at: https://asciinema.apps.company.com/a/2 * Connection #0 to host asciinema.apps.company.com left intact ```
kerem closed this issue 2026-03-15 10:46:31 +03:00
kerem commented 2026-03-15 10:46:37 +03:00
Author
Owner
Copy link

@ku1ik commented on GitHub (Dec 11, 2021):

asciinema uses Python's built-in HTTP library, so I guess it's the Python installation on Ubuntu that has issue with the local trust store.

<!-- gh-comment-id:991623219 --> @ku1ik commented on GitHub (Dec 11, 2021): asciinema uses Python's built-in HTTP library, so I guess it's the Python installation on Ubuntu that has issue with the local trust store.
kerem commented 2026-03-15 10:46:42 +03:00
Author
Owner
Copy link

@digas commented on GitHub (Nov 14, 2022):

@sickill i'm experiencing the same problem on MACOS (VENTURA can't tell if this was works on other versions)
the only Python i have is from brew installation:
❯ brew list|grep python
python@3.10
python@3.11
python@3.9
(i believe apple as removed python2)

And what i get is :
asciinema: upload failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)> asciinema: retry later by running: asciinema upload /Users/diogo.serra/Downloads/Testing.cast

and the same for play which makes sense . But does this means that my python is reading the wrong place regarding the CA-certificates ?

Update
@sickill and @gfvirga i found how to resolve the problem .
In my case on MACOS , as we now a days use the python3 from brew and openssl@1.1 and openssl@3 , i removed both openssl (as it say on the installation process it adds the CA-certificates copy to a specific place for each version) by:

brew uninstall --ignore-dependencies --force openssl@3
brew uninstall --ignore-dependencies --force openssl@1.1

then installed both again with :
brew install openssl@1.1
brew install openssl@3

And during the installation you can read this :

❯ brew info openssl@1.1
==> openssl@1.1: stable 1.1.1s (bottled) [keg-only]
Cryptography and SSL/TLS Toolkit
https://openssl.org/
/usr/local/Cellar/openssl@1.1/1.1.1s (8,101 files, 18.5MB)
  Poured from bottle on 2022-11-14 at 11:57:22
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/openssl@1.1.rb
License: OpenSSL
==> Dependencies
Required: ca-certificates ✔
==> Caveats
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
  /usr/local/etc/openssl@1.1/certs

and run
  /usr/local/opt/openssl@1.1/bin/c_rehash

openssl@1.1 is keg-only, which means it was not symlinked into /usr/local,
because macOS provides LibreSSL.

If you need to have openssl@1.1 first in your PATH, run:
  echo 'export PATH="/usr/local/opt/openssl@1.1/bin:$PATH"' >> ~/.zshrc

For compilers to find openssl@1.1 you may need to set:
  export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib"
  export CPPFLAGS="-I/usr/local/opt/openssl@1.1/include"

For pkg-config to find openssl@1.1 you may need to set:
  export PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig"

==> Analytics
install: 977,545 (30 days), 2,449,741 (90 days), 11,242,394 (365 days)
install-on-request: 42,873 (30 days), 95,501 (90 days), 408,261 (365 days)
build-error: 1,439 (30 days)

So following the description you just need to copy the CA-certfile to /usr/local/etc/openssl@1.1/certs and /usr/local/etc/openssl@3/certs respectively , and request /usr/local/opt/openssl@1.1/bin/c_rehash and /usr/local/opt/openssl@3/bin/c_rehash respectively

cp /PATH/TO/MY/CA-CERTIFILECOPY.pem /usr/local/etc/openssl@1.1/certs
/usr/local/opt/openssl@1.1/bin/c_rehash
cp /PATH/TO/MY/CA-CERTIFILECOPY.pem /usr/local/etc/openssl@1.1/certs
/usr/local/opt/openssl@3/bin/c_rehash

Then i was sucessfully able to upload again my. videos .

<!-- gh-comment-id:1313542239 --> @digas commented on GitHub (Nov 14, 2022): @sickill i'm experiencing the same problem on MACOS (VENTURA can't tell if this was works on other versions) the only Python i have is from brew installation: ❯ brew list|grep python python@3.10 python@3.11 python@3.9 (i believe apple as removed python2) And what i get is : `asciinema: upload failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)> asciinema: retry later by running: asciinema upload /Users/diogo.serra/Downloads/Testing.cast` and the same for play which makes sense . But does this means that my python is reading the wrong place regarding the CA-certificates ? **Update** @sickill and @gfvirga i found how to resolve the problem . In my case on MACOS , as we now a days use the python3 from brew and openssl@1.1 and openssl@3 , i removed both openssl (as it say on the installation process it adds the CA-certificates copy to a specific place for each version) by: `brew uninstall --ignore-dependencies --force openssl@3 ` `brew uninstall --ignore-dependencies --force openssl@1.1` then installed both again with : brew install openssl@1.1 brew install openssl@3 And during the installation you can read this : ``` ❯ brew info openssl@1.1 ==> openssl@1.1: stable 1.1.1s (bottled) [keg-only] Cryptography and SSL/TLS Toolkit https://openssl.org/ /usr/local/Cellar/openssl@1.1/1.1.1s (8,101 files, 18.5MB) Poured from bottle on 2022-11-14 at 11:57:22 From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/openssl@1.1.rb License: OpenSSL ==> Dependencies Required: ca-certificates ✔ ==> Caveats A CA file has been bootstrapped using certificates from the system keychain. To add additional certificates, place .pem files in /usr/local/etc/openssl@1.1/certs and run /usr/local/opt/openssl@1.1/bin/c_rehash openssl@1.1 is keg-only, which means it was not symlinked into /usr/local, because macOS provides LibreSSL. If you need to have openssl@1.1 first in your PATH, run: echo 'export PATH="/usr/local/opt/openssl@1.1/bin:$PATH"' >> ~/.zshrc For compilers to find openssl@1.1 you may need to set: export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib" export CPPFLAGS="-I/usr/local/opt/openssl@1.1/include" For pkg-config to find openssl@1.1 you may need to set: export PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig" ==> Analytics install: 977,545 (30 days), 2,449,741 (90 days), 11,242,394 (365 days) install-on-request: 42,873 (30 days), 95,501 (90 days), 408,261 (365 days) build-error: 1,439 (30 days) ``` So following the description you just need to copy the CA-certfile to /usr/local/etc/openssl@1.1/certs and /usr/local/etc/openssl@3/certs respectively , and request /usr/local/opt/openssl@1.1/bin/c_rehash and /usr/local/opt/openssl@3/bin/c_rehash respectively ``` cp /PATH/TO/MY/CA-CERTIFILECOPY.pem /usr/local/etc/openssl@1.1/certs /usr/local/opt/openssl@1.1/bin/c_rehash cp /PATH/TO/MY/CA-CERTIFILECOPY.pem /usr/local/etc/openssl@1.1/certs /usr/local/opt/openssl@3/bin/c_rehash ``` Then i was sucessfully able to upload again my. videos .
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/cargo/rustls-webpki-0.103.13
dependabot/cargo/rand-0.9.3
dependabot/cargo/quinn-proto-0.11.14
main
python
golang
v3.2.0
v3.1.0
v3.0.1
v3.0.0
v3.0.0-rc.5
v3.0.0-rc.4
v3.0.0-rc.3
v3.0.0-rc.2
v3.0.0-rc.1
v2.4.0
v2.3.0
v2.2.0
v2.1.0
v2.0.2
v2.0.1
v2.0.0
v1.4.0
v1.3.0
v1.2.0
v1.1.1
v1.1.0
v1.0.0
v1.0.0.rc2
v1.0.0.rc1
v0.9.9
v0.9.8
v0.9.7
v0.9.6
v0.9.5
v0.9.4
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.1
Labels
Clear labels   
bug

   
compatibility

   
feature request

   
fit for beginners

   
help wanted

   
hosting

   
idea

   
improvement

   
packaging

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
compatibility
feature request
fit for beginners
help wanted
hosting
idea
improvement
packaging
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/asciinema#861
No description provided.