SSL errors with Python client

I’m trying to set up the on-premises Sentry instance, and one thing I’m running into is the Python client cannot connect.

I have Sentry behing nginx + LetsEncrypt certbot. My problem is the following.

With letsencrypt termination I get the following error:

2021-03-22 15:52:23,016 ERROR [sentry.errors] Sentry responded with an error: <urlopen error [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:1091)> (url: https://se.maphub.net/api/3/store/)
Traceback (most recent call last):
  File "/opt/conda/lib/python3.7/urllib/request.py", line 1350, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "/opt/conda/lib/python3.7/http/client.py", line 1277, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/opt/conda/lib/python3.7/http/client.py", line 1323, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/opt/conda/lib/python3.7/http/client.py", line 1272, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/opt/conda/lib/python3.7/http/client.py", line 1032, in _send_output
    self.send(msg)
  File "/opt/conda/lib/python3.7/http/client.py", line 972, in send
    self.connect()
  File "/opt/conda/lib/python3.7/site-packages/raven/utils/http.py", line 38, in connect
    sock, ca_certs=ca_certs, cert_reqs=ssl.CERT_REQUIRED)
  File "/opt/conda/lib/python3.7/ssl.py", line 1238, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs
  File "/opt/conda/lib/python3.7/ssl.py", line 423, in wrap_socket
    session=session
  File "/opt/conda/lib/python3.7/ssl.py", line 870, in _create
    self.do_handshake()
  File "/opt/conda/lib/python3.7/ssl.py", line 1139, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:1091)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/conda/lib/python3.7/site-packages/raven/transport/threaded.py", line 165, in send_sync
    super(ThreadedHTTPTransport, self).send(url, data, headers)
  File "/opt/conda/lib/python3.7/site-packages/raven/transport/http.py", line 43, in send
    ca_certs=self.ca_certs,
  File "/opt/conda/lib/python3.7/site-packages/raven/utils/http.py", line 66, in urlopen
    return opener.open(url, data, timeout)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 525, in open
    response = self._open(req, data)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 543, in _open
    '_open', req)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 503, in _call_chain
    result = func(*args)
  File "/opt/conda/lib/python3.7/site-packages/raven/utils/http.py", line 46, in https_open
    return self.do_open(ValidHTTPSConnection, req)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 1352, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:1091)>
2021-03-22 15:52:23,018 ERROR [sentry.errors.uncaught] ['ping_error']

If I turn on CloudFlare proxy, I get the following error:

2021-03-22 15:48:24,908 ERROR [sentry.errors] Sentry responded with an error: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1091)> (url: https://se.maphub.net/api/3/store/)
Traceback (most recent call last):
  File "/opt/conda/lib/python3.7/urllib/request.py", line 1350, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "/opt/conda/lib/python3.7/http/client.py", line 1277, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/opt/conda/lib/python3.7/http/client.py", line 1323, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/opt/conda/lib/python3.7/http/client.py", line 1272, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/opt/conda/lib/python3.7/http/client.py", line 1032, in _send_output
    self.send(msg)
  File "/opt/conda/lib/python3.7/http/client.py", line 972, in send
    self.connect()
  File "/opt/conda/lib/python3.7/site-packages/raven/utils/http.py", line 38, in connect
    sock, ca_certs=ca_certs, cert_reqs=ssl.CERT_REQUIRED)
  File "/opt/conda/lib/python3.7/ssl.py", line 1238, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs
  File "/opt/conda/lib/python3.7/ssl.py", line 423, in wrap_socket
    session=session
  File "/opt/conda/lib/python3.7/ssl.py", line 870, in _create
    self.do_handshake()
  File "/opt/conda/lib/python3.7/ssl.py", line 1139, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1091)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/conda/lib/python3.7/site-packages/raven/transport/threaded.py", line 165, in send_sync
    super(ThreadedHTTPTransport, self).send(url, data, headers)
  File "/opt/conda/lib/python3.7/site-packages/raven/transport/http.py", line 43, in send
    ca_certs=self.ca_certs,
  File "/opt/conda/lib/python3.7/site-packages/raven/utils/http.py", line 66, in urlopen
    return opener.open(url, data, timeout)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 525, in open
    response = self._open(req, data)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 543, in _open
    '_open', req)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 503, in _call_chain
    result = func(*args)
  File "/opt/conda/lib/python3.7/site-packages/raven/utils/http.py", line 46, in https_open
    return self.do_open(ValidHTTPSConnection, req)
  File "/opt/conda/lib/python3.7/urllib/request.py", line 1352, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1091)>
2021-03-22 15:48:24,910 ERROR [sentry.errors.uncaught] ['ping_error']

Python is latest 3.7 from conda-forge.

First of all we do not support Python 3.7 yet, and secondly it is very hard to support you if you are not using our only support version, which is through GitHub - getsentry/onpremise: Sentry On-Premise setup. Seems like you have a custom setup and have issues with your OpenSSL version.

The server side is a 100% stock docker-compose ./install.sh from today’s git head.

The client is Python 3.7 which I guess is supported since it works perfectly with hosted Sentry.

The only custom part is SSL/TLS termination, which is by nginx, as recommended by the docs: GitHub - getsentry/onpremise: Sentry On-Premise setup

Oh wait, I misunderstood the issue. Still, this looks like an issue in your client or SSL certificate, nothing to do with Sentry, especially with self-hosted.

I agree that it’s something client related, but the same client works perfectly with the official Sentry server, so I’m a bit puzzled.

Ah, that would indicate an issue with your SSL certificates. I think Let’s Encrypt certbot is issuing certificates that use/allow some old and deprecated ciphers. You may wanna recreate your certificate and paying attention to these. If you search for the errors you are getting, StackOverflow has some useful pointers.