JIRA Python Connection Over HTTPS

PeteToscano December 6, 2016

I just upgraded the JIRA Python module from 0.32 to 1.0.7. (Duplicated the virtenv first, then did the upgrade.) My main JIRA Python script connects to our JIRA server over HTTPS, but, because it uses a cert signed by our internal CA, I have it disable verification. When I run the script, I get a bunch of these warnings:

/Users/foo/python-virtualenvs/new-jira-ve/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:843: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)

Longterm, I would like to figure out how to add our internal CA to whatever CA store that the validator is using, but for the time being, I'd just like to turn off these warnings. Going to the urllib3 URL explains how to fix the problem, but if I add 

import urllib3
urllib3.disable_warnings()

to my script, I still get the above warnings.

Judging from the path of the above warning, I suspect that the JIRA module is using requests, which is using an embedded urllib3 module. Is there a way to pass call the disable_warnings() method from the embedded-in-requests urllib3 library or is there a better way to handle this? 

(And even better, anyone have a suggestion for how to tell the validator to use our internal-only CA cert to validate the connection to our JIRA server?) 

2 answers

2 accepted

2 votes
Answer accepted
PeteToscano January 24, 2017

Having a conversation with myself here, but since I keep coming across this page when searching for other solutions, I might as well share my solution here.

http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification

That above line to the requests 2.13.0 documentation explains that you can set the verify parameter to True, False, or the path to the CA bundle

Huh. The JIRA object can be passed an options dict. They pydoc for JIRA defines verify:

 * verify -- Verify SSL certs. Defaults to ``True``.

I had been using that to turn off server cert validation, so it was already set to False. For shiggles, I tried setting it to the path to my CA's cert file:

jira = JIRA(options={'server':'https://jira.example.org', 'verify':'/path/to/ca.crt'}, basic_auth=(user, password))

Viola! It worked! I now have a verified secure connection to my JIRA server using a cert signed by my internal CA.

Lars Mählmann
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
October 18, 2017

Thank you for your

a conversation with myself

For an test env I just used

'verify':False

not for productive env but helpful fora test .

1 vote
Answer accepted
PeteToscano December 6, 2016

Don't know about squelching the warnings yet, but for being able to provide our own CA cert, I can use the REQUESTS_CA_BUNDLE environmental variable and point it to the CA cert PEM file as such:

REQUESTS_CA_BUNDLE=~/CAfile.pem ./script.py

Of course, that pulls the thread a little further, with urllib3 now complaining about the server cert missing SubjectAltName, but I know how do deal with that... 

Still, I'd like to know how to squelch the warnings or even better, do what REQUESTS_CA_BUNDLE is doing, but from within my script so that I won't have to remember to use this envvar every time.

Suggest an answer

Log in or Sign up to answer