AYON - HTTPS Connection not functioning from Ayon Launcher

Administration
,
1

Hey there,

We successfully setted up a functioning https connection on the web browser.
We created a certificate through our local certification authority (windows domain) and we used this certificate inside our nginx proxy container. So we can access ayon into a web browser with the address “https://ayon.domain.lan”.

But, when we use the ayon launcher and try to connect with the same address, it fails with the following error :

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)

To try and debug, we filled the AYON_CERT_FILE environment variable with these parameters :

  • (‘path/to/certificate.crt’,‘/path/to/key.key’)
  • ‘path/to/certificate.crt’,‘/path/to/key.key’

But doing so, we had these error messages :

OSError: Could not find the TLS certificate file, invalid path: ('path/to/certificate.crt','/path/to/key.key')

We also try these values :

  • path/to/certificate.crt
  • path/to/key.key

But, still, we had these error messages :

Failed to connect to 'https://ayon.domain.lan'
Traceback (most recent call last):
  File "C:\Program Files\Ynput\AYON 1.3.2\dependencies\urllib3\connectionpool.py", line 714, in urlopen
    httplib_response = self._make_request(
  File "C:\Program Files\Ynput\AYON 1.3.2\dependencies\urllib3\connectionpool.py", line 403, in _make_request
    self._validate_conn(conn)
  File "C:\Program Files\Ynput\AYON 1.3.2\dependencies\urllib3\connectionpool.py", line 1053, in _validate_conn
    conn.connect()
  File "C:\Program Files\Ynput\AYON 1.3.2\dependencies\urllib3\connection.py", line 419, in connect
    self.sock = ssl_wrap_socket(
  File "C:\Program Files\Ynput\AYON 1.3.2\dependencies\urllib3\util\ssl_.py", line 418, in ssl_wrap_socket
    context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [SSL] PEM lib (_ssl.c:4065)

Do you think the AYON_CERT_FILE is the way to fix our problem ? If so, do you know how to fill this environment variable ?

Please note that we can successfully connect to Ayon’s server with the launcher using the http://ayon.domain.lan address but this solution is not sufficient enough because it doesn’t allow me to use some custom webactions.

1 Like
2

Pretty sure AYON_CERT_FILE would need to be separated by os path separator for env vars like : (unix) and ; (windows) which is os.pathsep.

However I’m not even sure whether it does support multiple paths.

3

Hey Roy,

Thanks for your answer :slight_smile:

Unfortunately, I tried separating these values with a ; or a : and neither of these work :confused:

Do you know any studio using https and webactions on ayon ? :thinking:

4

Essentially all clients using AYON cloud? :smiley: But there are also quite a few running local. Why it fails for you I’m not sure. Perhaps @iLLiCiT ?

5

The ayon-python-api mentions two variables are used: AYON_CA_FILE and AYON_CERT_FILE.
I’m not sure how they are used.
I wonder if experimenting using ayon-python-api can help figuring it out without running the whole launcher logic.

6

Hi,

While configuring the REQUESTS_CA_BUNDLE environment variable to point to the domain’s local Certificate Authority certificate in .pem format, I was finally able to get the launcher to connect successfully over HTTPS.

I assume that once this variable is set, Certifi’s default cacert.pem file is no longer taken into account.

To address this, I retrieved the contents of
C:\Program Files\Ynput\AYON X.X.X\dependencies\certifi\cacert.pem, appended our local CA certificate to the end of that file, and then configured this newly combined file as the value of REQUESTS_CA_BUNDLE.

With this approach, I believe we get the best of both worlds: Certifi’s default trusted certificate store along with our local Certificate Authority certificate.

1 Like