Resolving “SSL: certificate verify fails” error message from dwave ping command
When accessing a remote D-Wave quantum computer (QC) operated by a third party or your own institution or corporation, you may encounter a “certificate verify fails” error message from Ocean tools such as the interactive CLI’s “dwave ping” command.
Background: communication between a D-Wave QC and your local system (your laptop, for example) is secured using Secured Sockets Layer (SSL), a standard communications protocol for encryption and authentication. It relies on security certificates signed by a trusted Certification Authority (CA), such as Commodo or Symantec, or your own institution or corporation.
This SSL error can occur if your local system does not recognize the CA used by the remote endpoint of the D-Wave QC you are trying to access or ping. The quantum computer operated by D-Wave at https://cloud.dwavesys.com/sapi uses a certificate issued by a CA all supported systems trust.
The recommended solution is to add the CA issuing your D-Wave QC’s SSL certificate to your system’s trusted CAs. If you are unsure how to do so, contact your system administrator for assistance.
It is possible to access the D-Wave QC even if you have not added the CA to your system’s certificate storage. In Ocean’s dwave-cloud-client tool, you can set a client’s “permissive_ssl” parameter to True (by default it is False) to disable SSL verification:
>>> client = dwave.cloud.Client(endpoint='https://my.dwave.system.com/sapi', token='secrettoken', permissive_ssl=True)
You can also set this parameter in the D-Wave Cloud Client configuration file to make this the default behavior for Ocean tools accessing the QC.
Doing so results in unsecured communication and is not recommended.
Comments
Got the following error:
url = 'https://qfe.nas.nasa.gov/sapi'
client = dwave.cloud.Client(endpoint=url, token=token, permissive_ssl=True)
AttributeError: module 'dwave' has no attribute 'cloud'
Hello Chao,
If you are seeing the error:
You can try this line before creating the client:
Hope this helps.
If your server requires a self signed certificate, you can add it to ocean tools with the following instructions.
You will see SSL errors when you are trying to run ocean tools if the server needs a special certificate.
From the ocean virtual environment folder, run the following commands:
To get the certificate chain from the server, the following command which will save it to a file called bundle.pem can be run (remember to replace example.com with your domain):
openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null | sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > bundle.pem
This next command should be run to make a backup of the ca certificates file, just in case there is a problem and it needs to be reverted (remember to replace X.X with the version which will correspond to the existing folder):
cp ./lib/pythonX.X/site-packages/certifi/cacert.pem ./lib/pythonX.X/site-packages/certifi/default_cacert.pem
The contents of the certificate chain need to be appended to the certifi ca certificates file so ocean will have access to it (remember to replace X.X with the appropriate version as above):
cat bundle.pem >> ./lib/pythonX.X/site-packages/certifi/cacert.pem
The bundle file is not needed now, so it can be removed with the following command:
rm ./bundle.pem
Ocean should now be able to access your domain, which can be confirmed with the following python code (Remember to replace example.com with your domain):
import dwave.cloud
client = dwave.cloud.Client(endpoint="https://example.com/sapi/", token=my_token)
solver = client.get_solver()
Hi, After executing the "dwave ping" command on my windows 10 PC, I get the same error, "Error: Certificate verification failed....". The above instructions appear to be for Linux; how should the error be resolved on the Windows 10 PC?
Here are the Windows specific instructions:
First you need to get the certificate bundle from the endpoint.
An easy way to do this is by using a browser and downloading the certificates from there.
Here is an example of how to do this on Chrome.
Click the little lock icon next to the url box and select “Certificate”:
Click on the “Details” tab and then click “Copy to File…”.
Click “Next” in the new window that pops up.
Select “Base-64 encoded X.509 (.CER)” option:
Click “Next” save the file to a folder that will hold all of the certificates.
Now select the “Certificate Path” tab and highlight the next certificate up the chain.
In this case we are selecting “Google Internet Authority G3”.
Click “View Certificate” and another window will pop up.
Repeat the steps to save the certificate file in Base-64 format to the same folder under another name in the new window:
Next we will do the same thing in the new window, and select the “Certification Path” tab.
Notice how the list of certificates is shorter in this new window.
We want to save all of the certificates in the chain to separate files as we have been doing:
In the end there should be one file per certificate.
Now we want to open all of the certificate files we saved using notepad.
Copy the contents of the files into a single file and save it as “bundle.pem” for now:
Next, copy the contents of “bundle.pem” to the bottom of the “cacert.pem” file located in “Lib\site-packages\certifi\”:
You can verify that you are editing the right file by running “certs.py” in “Lib\site-packages\requests\”.
The output should point to the “cacert.pem” file being used:
Hi, I have a slightly different problem.
My url is provided by LANL. When I run $ dwave ping to test the dwave, i got error:
"Error: Solver not available. (code: 6)"
Is the solver in your config the correct one?
You can try running:
dwave config inspect
This will show you what's in your config file, so you can check the contents to confirm that everything looks right.
You can also try running:
dwave config ls
This command will show you where the config file is located, and you can open the config file to see it's contents manually.
Sometimes it's possible to have two config files which cause unexpected behaviour.
Hi David,
Thank you for you quick response. I have tried what you suggested. The configuration file seems to be fine, and there is only one configuration file existing.
In fact, I was able to access the Ocean DWave DW_2000Q_6 without any problems. However, when I changed my path to LANL DWave, this "Solver not available" problem occurs.
(ocean) : $ dwave config inspect
Configuration file: auto-detected
Profile: auto-detected
---
endpoint = https://localhost:10443/sapi
token = ******************************************
solver = DW_2000Q_VFYC_LANL
permissive_ssl = True
client = qpu
(ocean) : $ dwave config ls
/Users/myusername/Library/Application Support/dwave/dwave.conf
Try removing the line:
client = qpu
Hi David,
Thank you very much! The problem is solved!
Best,
Shiyu.
Awesome!
So glad that it worked out!
Here I have also attached my 'dwave.conf' file's content
Please help. Suggest modifications if needed.
**I have used "pip install dwave-ocean-sdk" command for installation and "dwave setup" for configuration. But added the "features" (with endpoint) sections separately.
Hi Aniruddha,
Can you please change your endpoint to:
The former endpoint that you are using will be depreciated in a future release.
If you are still running into the issue, can you please follow the steps provided by David on this post and let us know the outcome.
With kind regards,
Tanjid
Please sign in to leave a comment.