SSLError HTTPSConnectionPool Max retries exceeded

The problem that I am having is showing up after I entered the credential at the login page. I tried to use the Oauth provider with indico 2.3.

Any thoughts?


Full traceback from the log please…

Also, does your oauth provider have a proper TLS certificate?

Thanks for quick reply. please see the below Full traceback. yes, we have a proper TLS certificate.

Traceback (most recent call last):
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/flask/", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/flask/", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/indico/web/", line 324, in wrapper
    return cls(partial(func, *args, **kwargs)).process()
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/indico/web/", line 275, in process
    res = self._do_process()
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/indico/web/", line 245, in _do_process
    rv = self._process()
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/indico/web/", line 316, in _process
    rv = self.func()
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/flask_multipass/", line 123, in decorator
    return func(*args, **kwargs)
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/flask_multipass/providers/", line 117, in _authorize_callback
    token_data = self.authlib_client.authorize_access_token()
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/authlib/integrations/flask_client/", line 76, in authorize_access_token
    token = self.fetch_access_token(**params)
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/authlib/integrations/base_client/", line 110, in fetch_access_token
    token = client.fetch_token(token_endpoint, **kwargs)
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/authlib/oauth2/", line 205, in fetch_token
    headers=headers, **session_kwargs
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/authlib/oauth2/", line 221, in _fetch_token
    method, url, data=body, headers=headers, auth=auth, **kwargs)
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/authlib/integrations/requests_client/", line 113, in request
    method, url, auth=auth, **kwargs)
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/requests/", line 530, in request
    resp = self.send(prep, **send_kwargs)
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/requests/", line 643, in send
    r = adapter.send(request, **kwargs)
  File "/opt/indico/.venv/local/lib/python2.7/site-packages/requests/", line 514, in send
    raise SSLError(e, request=request)
SSLError: HTTPSConnectionPool(host='XXXXX', port=443): Max retries exceeded with url: /oauth2/token (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)'),))

The error disagrees with it. :wink:

Since you blanked out the host I can’t check it myself (wouldn’t work anyway if it’s not accessible from the public internet), but assuming you can connect to the host using e.g. curl without TLS problems, it may be a custom enterprise CA that’s not included in public trust databases.

If that’s the case, try setting the REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt env var (the filename may be slightly different depending on your linux distribution - check what file exists!). You can set it like this in /etc/uwsgi.ini (restart uwsgi afterwards):

env = REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt

This what I hire from our infrastructure team. :wink:

This is a test server. it’s not accessible from the public internet. Therefore, I removed it.
I just waiting for our security team to check this issue. I will let you know when it solved.


@ThiefMaster still I have a server issue with the OAuth certificate at test environment,
is there a way to disable SSL verification for OAuth.

Have you tried this?

You can also try setting the AUTHLIB_INSECURE_TRANSPORT env var to allow plain HTTP for testing.

Yes, I tried it and I have the same error, unfortunately. this server configuration error, not related indico.