SSL errors with Python client

hyperknot · March 22, 2021, 3:53pm

I’m trying to set up the on-premises Sentry instance, and one thing I’m running into is the Python client cannot connect.

I have Sentry behing nginx + LetsEncrypt certbot. My problem is the following.

With letsencrypt termination I get the following error:

2021-03-22 15:52:23,016 ERROR [sentry.errors] Sentry responded with an error: <urlopen error [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:1091)> (url: https://se.maphub.net/api/3/store/)
Traceback (most recent call last):
  File "/opt/conda/lib/python3.7/urllib/request.py", line 1350, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "/opt/conda/lib/python3.7/http/client.py", line 1277, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/opt/conda/lib/python3.7/http/client.py", line 1323, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/opt/conda/lib/python3.7/http/client.py", line 1272, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/opt/conda/lib/python3.7/http/client.py", line 1032, in _send_output
    self.send(msg)
  File "/opt/conda/lib/python3.7/http/client.py", line 972, in send
    self.connect()
  File "/opt/conda/lib/python3.7/site-packages/raven/utils/http.py", line 38, in connect
    sock, ca_certs=ca_certs, cert_reqs=ssl.CERT_REQUIRED)
  File "/opt/conda/lib/python3.7/ssl.py", line 1238, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs
  File "/opt/conda/lib/python3.7/ssl.py", line 423, in wrap_socket
    session=session
  File "/opt/conda/lib/python3.7/ssl.py", line 870, in _create
    self.do_handshake()
  File "/opt/conda/lib/python3.7/ssl.py", line 1139, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:1091)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/conda/lib/python3.7/site-packages/raven/transport/threaded.py", line 165, in send_sync
    super(ThreadedHTTPTransport, self).send(url, data, headers)
  File "/opt/conda/lib/python3.7/site-packages/raven/transport/http.py", line 43, in send
    ca_certs=self.ca_certs,
  File "/opt/conda/lib/python3.7/site-packages/raven/utils/http.py", line 66, in urlopen
    return opener.open(url, data, timeout)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 525, in open
    response = self._open(req, data)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 543, in _open
    '_open', req)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 503, in _call_chain
    result = func(*args)
  File "/opt/conda/lib/python3.7/site-packages/raven/utils/http.py", line 46, in https_open
    return self.do_open(ValidHTTPSConnection, req)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 1352, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:1091)>
2021-03-22 15:52:23,018 ERROR [sentry.errors.uncaught] ['ping_error']

If I turn on CloudFlare proxy, I get the following error:

2021-03-22 15:48:24,908 ERROR [sentry.errors] Sentry responded with an error: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1091)> (url: https://se.maphub.net/api/3/store/)
Traceback (most recent call last):
  File "/opt/conda/lib/python3.7/urllib/request.py", line 1350, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "/opt/conda/lib/python3.7/http/client.py", line 1277, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/opt/conda/lib/python3.7/http/client.py", line 1323, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/opt/conda/lib/python3.7/http/client.py", line 1272, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/opt/conda/lib/python3.7/http/client.py", line 1032, in _send_output
    self.send(msg)
  File "/opt/conda/lib/python3.7/http/client.py", line 972, in send
    self.connect()
  File "/opt/conda/lib/python3.7/site-packages/raven/utils/http.py", line 38, in connect
    sock, ca_certs=ca_certs, cert_reqs=ssl.CERT_REQUIRED)
  File "/opt/conda/lib/python3.7/ssl.py", line 1238, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs
  File "/opt/conda/lib/python3.7/ssl.py", line 423, in wrap_socket
    session=session
  File "/opt/conda/lib/python3.7/ssl.py", line 870, in _create
    self.do_handshake()
  File "/opt/conda/lib/python3.7/ssl.py", line 1139, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1091)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/conda/lib/python3.7/site-packages/raven/transport/threaded.py", line 165, in send_sync
    super(ThreadedHTTPTransport, self).send(url, data, headers)
  File "/opt/conda/lib/python3.7/site-packages/raven/transport/http.py", line 43, in send
    ca_certs=self.ca_certs,
  File "/opt/conda/lib/python3.7/site-packages/raven/utils/http.py", line 66, in urlopen
    return opener.open(url, data, timeout)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 525, in open
    response = self._open(req, data)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 543, in _open
    '_open', req)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 503, in _call_chain
    result = func(*args)
  File "/opt/conda/lib/python3.7/site-packages/raven/utils/http.py", line 46, in https_open
    return self.do_open(ValidHTTPSConnection, req)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 1352, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1091)>
2021-03-22 15:48:24,910 ERROR [sentry.errors.uncaught] ['ping_error']

Python is latest 3.7 from conda-forge.

BYK · March 22, 2021, 7:58pm

First of all we do not support Python 3.7 yet, and secondly it is very hard to support you if you are not using our only support version, which is through GitHub - getsentry/onpremise: Sentry On-Premise setup. Seems like you have a custom setup and have issues with your OpenSSL version.

hyperknot · March 22, 2021, 9:25pm

The server side is a 100% stock docker-compose ./install.sh from today’s git head.

The client is Python 3.7 which I guess is supported since it works perfectly with hosted Sentry.

The only custom part is SSL/TLS termination, which is by nginx, as recommended by the docs: GitHub - getsentry/onpremise: Sentry On-Premise setup

BYK · March 22, 2021, 9:38pm

Oh wait, I misunderstood the issue. Still, this looks like an issue in your client or SSL certificate, nothing to do with Sentry, especially with self-hosted.

hyperknot · March 22, 2021, 10:07pm

I agree that it’s something client related, but the same client works perfectly with the official Sentry server, so I’m a bit puzzled.

BYK · March 23, 2021, 8:17am

Ah, that would indicate an issue with your SSL certificates. I think Let’s Encrypt certbot is issuing certificates that use/allow some old and deprecated ciphers. You may wanna recreate your certificate and paying attention to these. If you search for the errors you are getting, StackOverflow has some useful pointers.

system · June 21, 2021, 8:18am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Internal error in sentry_sdk On-Premise	13	5040	December 13, 2021
Gitlab integration SSL problem	2	2664	May 30, 2017
Can't deliver erros to sentry On-Premise	2	1895	June 6, 2021
SSL for onpremise 20.10.1 On-Premise	2	1057	October 26, 2020
CSRF Issue when using SSL via nginx On-Premise	14	11637	March 19, 2020

SSL errors with Python client

Related topics