Nagios Support Forum

Posted: **Wed Aug 10, 2016 1:01 pm**

Weird - not seeing a certificate error over here. Let's get some verbosity from the CURL, please run the following and post back the full output -

Code: Select all

curl -v https://pypi.python.org/simple/pip/

Posted: **Tue Aug 16, 2016 2:13 pm**

Sorry for the late response I just saw this post. here is the result

[root@IGSAOAEWUS049 ~]# curl -v https://pypi.python.org/simple/pip/
* About to connect() to pypi.python.org port 443 (#0)
* Trying 151.101.48.223...
* Connected to pypi.python.org (151.101.48.223) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=www.python.org,O=Python Software Foundation,L=Wolfeboro,ST=N H,C=US,postalCode=03894-4801,STREET=16 Allen Rd,serialNumber=3359300,incorporati onState=Delaware,incorporationCountry=US,businessCategory=Private Organization
* start date: Jun 29 00:00:00 2016 GMT
* expire date: Sep 27 12:00:00 2018 GMT
* common name: www.python.org
* issuer: CN=res-sv3800_rsa,OU=DOI/OS/IAD/IAO,O=Cybersecurity,L=Reston,ST= VA,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@IGSAOAEWUS049 ~]#

Posted: **Tue Aug 16, 2016 2:44 pm**

It appears as you're getting another Issuer for the certificate, which is likely why it's failing. Here is the command ran on my system -

Code: Select all

[root@localhost python]# curl -v https://pypi.python.org/simple/pip/
* About to connect() to pypi.python.org port 443 (#0)
*   Trying 151.101.44.223... connected
* Connected to pypi.python.org (151.101.44.223) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=www.python.org,O=Python Software Foundation,L=Wolfeboro,ST=NH,C=US,postalCode=03894-4801,STREET=16 Allen Rd,serialNumber=3359300,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private Organization
*       start date: Jun 29 00:00:00 2016 GMT
*       expire date: Sep 27 12:00:00 2018 GMT
*       common name: www.python.org
*       issuer: CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US

The only difference I noticed was the IP it was connecting to, and the issuer. So, I adjusted my hosts file to hit the same IP you are. The issuer, stayed the same. Do you know what's going on exactly in your environment?

Code: Select all

[root@localhost python]# curl -v https://pypi.python.org/simple/pip/
* About to connect() to pypi.python.org port 443 (#0)
*   Trying 151.101.48.223... connected
* Connected to pypi.python.org (151.101.48.223) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=www.python.org,O=Python Software Foundation,L=Wolfeboro,ST=NH,C=US,postalCode=03894-4801,STREET=16 Allen Rd,serialNumber=3359300,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private Organization
*       start date: Jun 29 00:00:00 2016 GMT
*       expire date: Sep 27 12:00:00 2018 GMT
*       common name: www.python.org
*       issuer: CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Posted: **Wed Aug 17, 2016 7:09 am**

Sadly I dont know whats going on outside of our office. I work for the government (DOI) and I am sure they are doing something to the traffic. I have not had any issues running and updating Ubuntu so I assumed this would be ok as well.

Posted: **Wed Aug 17, 2016 11:56 am**

See if the following command is able to bring the packages into the environment (share outputs please):

Code: Select all

pip install --allow-insecure argparse jsonselect elasticsearch-curator==3.4.0

Posted: **Wed Aug 17, 2016 12:16 pm**

Here is the result

[root@IGSAOAEWUS049 ~]# pip install --allow-insecure argparse jsonselect elasticsearch-curator==3.4.0
-bash: pip: command not found
[root@IGSAOAEWUS049 ~]#

Posted: **Wed Aug 17, 2016 2:08 pm**

From the nagioslogserver installation directory (usually /tmp/nagioslogserver/) can you run the following and share the output:

Code: Select all

python get-pip.py --allow-insecure=true

Posted: **Thu Aug 18, 2016 9:03 am**

[root@IGSAOAEWUS049 nagioslogserver]# python get-pip.py --allow-insecure=true
Downloading/unpacking pip
Cannot fetch index base URL https://pypi.python.org/simple/
Could not find any downloads that satisfy the requirement pip
Cleaning up...
No distributions at all found for pip
Storing debug log for failure in /root/.pip/pip.log
[root@IGSAOAEWUS049 nagioslogserver]#

Posted: **Thu Aug 18, 2016 9:08 am**

Here is the log file it talks about

get-pip.py run on Thu Aug 18 10:03:21 2016
Downloading/unpacking pip
Getting page https://pypi.python.org/simple/pip/
Could not fetch URL https://pypi.python.org/simple/pip/: connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
Will skip URL https://pypi.python.org/simple/pip/ when looking for download links for pip
Getting page https://pypi.python.org/simple/
Could not fetch URL https://pypi.python.org/simple/: connection error: HTTPSConnectionPool(host='pypi.python.org', port=443): Max retries exceeded with url: /simple/ (Caused by <class 'httplib.CannotSendRequest'>: )
Will skip URL https://pypi.python.org/simple/ when looking for download links for pip
Cannot fetch index base URL https://pypi.python.org/simple/
URLs to search for versions for pip:
* https://pypi.python.org/simple/pip/
Getting page https://pypi.python.org/simple/pip/
Could not fetch URL https://pypi.python.org/simple/pip/: connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
Will skip URL when looking for download links for pip
Could not find any downloads that satisfy the requirement pip
Cleaning up...
Removing temporary dir /tmp/pip_build_root...
No distributions at all found for pip
Exception information:
Traceback (most recent call last):
File "/tmp/tmpu5Hggt/pip.zip/pip/basecommand.py", line 122, in main
status = self.run(options, args)
File "/tmp/tmpu5Hggt/pip.zip/pip/commands/install.py", line 278, in run
requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
File "/tmp/tmpu5Hggt/pip.zip/pip/req.py", line 1177, in prepare_files
url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
File "/tmp/tmpu5Hggt/pip.zip/pip/index.py", line 277, in find_requirement
raise DistributionNotFound('No distributions at all found for %s' % req)
DistributionNotFound: No distributions at all found for pip

Posted: **Thu Aug 18, 2016 2:19 pm**

I've patched (and attached) the get-pip.py script with options that (fingers crossed) should force it to use http instead of https. Drop this into your /tmp/nagioslogserver/ directory overwriting the old one and run the fullinstall script again sharing the output.

Nagios Support Forum

Installation Error

Re: Installation Error

Re: Installation Error

Re: Installation Error

Re: Installation Error

Re: Installation Error

Re: Installation Error

Re: Installation Error

Re: Installation Error

Re: Installation Error

Re: Installation Error