LetsEncrypt: InsecureRequestWarning: Unverified HTTPS request

During upgrade i was not able to install Letsencrypt CA, following the steps on How to Enable HTTPS with letsencrypt

So that i followed steps from digital ocean and https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx.html. and it was successfull.
I followed the following steps:

  1. sudo add-apt-repository ppa:certbot/certbot

  2. sudo apt-get update

  3. sudo apt-get install python-certbot-nginx

  4. sudo certbot --nginx -d echisethiopia.org -d www.echisethiopia.org

  5. file will be saved to: /etc/letsencrypt/renewal/www.echisethiopia.org.conf

  6. open /etc/nginx/sites-available/echis_commcare
    Add or Replace the following lines:
    ssl_certificate /etc/letsencrypt/live/www.echisethiopia.org/cert.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.echisethiopia.org/privkey.pem;

And it works fine!

Now am getting a warning on check_services output: That is

/home/cchq/www/echis/releases/2019-10-26_17.12/python_env-3.6/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)

Why does this message appeared?

I’ve tested the CA:
using https://www.ssllabs.com/ssltest/analyze.html?d=www.echisethiopia.org
and it works fine

Can you tell which service check triggers that warning? And what request is being made?

cchq echis django-manage check_services

(ansible) ansible@echis0:~/.commcare-cloud/repo$ cchq echis django-manage check_services
ssh 172.19.3.41 -o UserKnownHostsFile=/home/ansible/commcare-cloud/environments/echis/known_hosts ‘su$
o -u cchq bash -c "cd /home/cchq/www/echis/current; python_env-3.6/bin/python manage.py check_service$
"’
Ubuntu 18.04.3 LTS
/home/cchq/www/echis/releases/2019-10-28_14.37/python_env-3.6/lib/python3.6/site-packages/psycopg2/$
nit
.py:144: UserWarning: The psycopg2 wheel package will be renamed from release 2.8; in order to k$
ep installing from binary please use “pip install psycopg2-binary” instead. For details see: <http://$
nitd.org/psycopg/docs/install.html#binary-install-from-pypi>.
“”")
2019-10-30 07:26:40,532 INFO AXES: BEGIN LOG
SUCCESS (Took 0.32s) kafka : Kafka seems to be in order
SUCCESS (Took 0.01s) redis : Redis is up and using 175.09M memory
SUCCESS (Took 0.03s) postgres : default:commcarehq:OK p1:commcarehq_p1:OK p2:commcarehq_p2:OK
p3:commcarehq_p3:OK p4:commcarehq_p4:OK p5:commcarehq_p5:OK p6:commcarehq_p6:OK p7:commcarehq_p7:OK p$
:commcarehq_p8:OK proxy:commcarehq_proxy:OK synclogs:commcarehq_synclogs:OK ucr:commcarehq_ucr:OK Succ
essfully got a user from postgres
SUCCESS (Took 0.02s) couch : Successfully queried an arbitrary couch view
FAILURE (Took 0.01s) celery : celery has been blocked for 1 day, 16:07:55.272015 (max allowe
d is 0:01:00)
ucr_queue has been blocked for 1 day, 16:07:55.260036 (max allowed is 1:00:00)
SUCCESS (Took 0.00s) heartbeat : OK
SUCCESS (Took 0.03s) elasticsearch : Successfully sent a doc to ES and read it back
SUCCESS (Took 0.19s) blobdb : Successfully saved a file to the blobdb
SUCCESS (Took 0.02s) formplayer : Formplayer returned a 200 status code
SUCCESS (Took 0.01s) rabbitmq : RabbitMQ OK

/home/cchq/www/echis/releases/2019-10-28_14.37/python_env-3.6/lib/python3.6/site-packages/urllib3/conn
ectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate
verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ss
l-warnings
InsecureRequestWarning)

Thanks, Demisew, I see what warning now. It’s nothing to be concerned with.

The formplayer server check specifically skips certificate validation when checking uptime, which raises this warning. The reason for that is so the check will function during server setup, even before a trusted certificate is applied. That request only pings a publicly accessible status endpoint - no confidential information is passed.

Here’s where the request is made. I’ll see if it’s straightforward to disable that warning.