tls certificate handling defect in 2.2.4

[salami738]

I found a bug in Version 2.2.4. TLS handling is not working properly
This is a problem for url monitors and alerts.

$ kubectl set image ds/scalyr-agent-2 scalyr-agent=scalyr/scalyr-k8s-agent:2.2.4
$ kubectl exec -it scalyr-agent-2-12345 -- /bin/python3.10
>>> import urllib.request
>>> contents = urllib.request.urlopen("https://google.de").read()
...
Traceback (most recent call last):
  File "/usr/lib/python3.10/urllib/request.py", line 1348, in do_open
    h.request(req.get_method(), req.selector, req.data, headers,
  File "/usr/lib/python3.10/http/client.py", line 1283, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib/python3.10/http/client.py", line 1329, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.10/http/client.py", line 1278, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.10/http/client.py", line 1038, in _send_output
    self.send(msg)
  File "/usr/lib/python3.10/http/client.py", line 976, in send
    self.connect()
  File "/usr/lib/python3.10/http/client.py", line 1455, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1071, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)

In comparision v2.2.3

$ kubectl set image ds/scalyr-agent-2 scalyr-agent=scalyr/scalyr-k8s-agent:2.2.3
$ kubectl exec -it scalyr-agent-2-12345 -- /usr/local/bin/python

>>> import urllib.request
>>> contents = urllib.request.urlopen("https://google.de").read()
>>> print(contents)
...
<!doctype html><html itemscope=
...

[weilliu]

Thanks for reporting the issue. Engineering will review it and implement a fix for it.

[salami738]

Have you had a chance to look at this yet?

[salami738]

?

[weilliu]

@salami738 Sorry for the delayed response. I will check for the update with engineering. Is the issue reproducible with the latest agent version?

[jmakar-s1]

Turns out this is a problem with the build process changes made starting with 2.2.4. The /etc/ssl directory and the corresponding certs are missing, will work on a fix.

[jmakar-s1]

The fix has been merged, thank you for reporting this!

It will be included in the next release but if this is an immediate issue you're welcome to use the intermediate build tagged 882e3cf815242a000b0ece45ab5b7761eccac69b

$ docker run -it scalyr/scalyr-k8s-agent:882e3cf815242a000b0ece45ab5b7761eccac69b ls /etc/ssl/certs/*.pem | wc -l
141

[salami738]

thanks for the fix. Will test it soon.

[salami738]

According to scalyr developers, this is fixed in version: https://github.com/scalyr/scalyr-agent-2/releases/tag/v2.2.8. We did not test it yet.

[salami738]

I tested the v2.2.4 as defective and v2.2.8 as fixed. Thanks.