Checking for non-preferred file/folder path names (may take a long time depending on the number of files/folders) ...

How to Fix the Side Effect caused by New SSL Cert on HydroShare

Owners: This resource does not have an owner who is an active HydroShare user. Contact CUAHSI ( for information on this resource.
Type: Resource
Storage: The size of this resource is 8.2 KB
Created: Mar 18, 2021 at 9:02 p.m.
Last updated: Mar 18, 2021 at 9:03 p.m.
Citation: See how to cite this resource
Sharing Status: Public
Views: 1167
Downloads: 6
+1 Votes: Be the first one to 
Comments: No comments (yet)


How to Fix the Side Effect caused by New SSL Cert on HydroShare

March 18, 2021; Zhiyu/Drew Li;

Jupyter Hub fails in OAuth handshaking with HydroShare
“HTTP 599: server certificate verification failed. CAfile: none CRLfile: none”
hs_restclient fails to authenticate
requests.exceptions.SSLError: HTTPSConnectionPool(host='', port=443): Max retries exceeded with url: /hsapi/userInfo/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)')))

HydroShare deployed a new SSL cert on March 17, 202. It is based on off a new CA, which is NOT included in the latest “ca-certificates” package (CA Bundle) on Ubuntu 18.04 and 20.04 as of this writing (other Linux distribution may also be affected).

Manually add this new CA into the CA Bundle on all clients that might need to talk to HydroShare.

Download the new CA cert:
Go to HydroShare keybase and download: star_hydroshare_org_124173627DigiCertCA.crt
Go to, search for “GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1” and download PEM format.

For Hub Dockerfile:

USER root
# get latest ca-bundle
RUN apt-get update && apt-get install -y ca-certificates
# load hydroshare new ca to image
COPY ./star_hydroshare_org_124173627DigiCertCA.crt /usr/local/share/ca-certificates/star_hydroshare_org_124173627DigiCertCA.crt
# update ca-bundle
RUN update-ca-certificates

For different conda envs in Dockerfile:

#Append new HydroShare CA to cacert.pem in Base conda env
RUN cat ./star_hydroshare_org_124173627DigiCertCA.crt >> /opt/conda/lib/python<VERSION>/site-packages/certifi/cacert.pem
# Append new HydroShare CA to user-created conda env
RUN cat ./star_hydroshare_org_124173627DigiCertCA.crt >> /opt/conda/envs/<ENV_NAME>/lib/python<VERSION>/site-packages/certifi/cacert.pem


Subject Keywords


How to Cite

Li, Z. (2021). How to Fix the Side Effect caused by New SSL Cert on HydroShare, HydroShare,

This resource is shared under the Creative Commons Attribution CC BY.


There are currently no comments

New Comment