Uri Bialik

Web-services - Working with self-signed certificates

Discussion created by Uri Bialik Expert on Dec 23, 2015

When making a web-service request to the management server an https connection is created.

Typically, keep the Gaia portal certificate and do not replace it was a "real" certificate from an trusted certificate authority.


Keeping Gaia's certificate means that:

* Browsers are expected to warn you from entering the Gaia portal.

* Some tools and programming language will not allow you to connect to the management server via web-services because they would report that the server's certificate is not trusted


There are a few options:

* Replace Gaia's portal certificate with a trusted certificate - See sk97648

* Bypass the SSL certificate checks - This is highly not recommend as it leaves you vulnerable to a man-in-the-middle attack.

* Verify the server's identity by checking the certificate's fingerprint (a.k.a certificate's thumbprint).


Here are code snippets that verify the server's fingerprint using c# and Python:

Using C#

                ServicePointManager.ServerCertificateValidationCallback = delegate(object obj, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors errors)
                    // validate fingerprint hash
                    if (certificate.GetCertHashString() == expected_fingerprint) 
                        return true;

                    return false;


Using Python


class HTTPSConnection(httplib.HTTPSConnection):
    Class for handling the HTTPS Connection
    def connect(self):
        self.sock = ssl.wrap_socket(
            self.sock, self.key_file, self.cert_file,
        if getattr(self, 'fingerprint') is not None:
            digest = self.fingerprint
            alg = "SHA1"
            fingerprint = hashlib.new(
                alg, self.sock.getpeercert(True)).hexdigest().upper()
            if fingerprint != digest.replace(':', '').upper():
                raise Exception('fingerprint mismatch: %s' % fingerprint)

    def get_fingerprint_hash(self):
        self.sock = ssl.wrap_socket(
            self.sock, self.key_file, self.cert_file,
        fingerprint = hashlib.new(
            "SHA1", self.sock.getpeercert(True)).hexdigest()
        return fingerprint.upper()


To get the server's fingerprint in a secure way, run "api fingerprint" on the management server.