Description
What happened (please include outputs or screenshots):
The following exception is raised whenever calling the Kubernetes API of an EKS cluster:
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='0123456789deadbeef01234567890000.gr7.us-east-1.eks.amazonaws.com', port=443): Max retries exceeded with url: /version/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1028)')))
Full stacktrace
Traceback (most recent call last):
File "/path/to/venv/lib/python3.13/site-packages/urllib3/connectionpool.py", line 464, in _make_request
self._validate_conn(conn)
~~~~~~~~~~~~~~~~~~~^^^^^^
File "/path/to/venv/lib/python3.13/site-packages/urllib3/connectionpool.py", line 1093, in _validate_conn
conn.connect()
~~~~~~~~~~~~^^
File "/path/to/venv/lib/python3.13/site-packages/urllib3/connection.py", line 741, in connect
sock_and_verified = _ssl_wrap_socket_and_match_hostname(
sock=sock,
...<14 lines>...
assert_fingerprint=self.assert_fingerprint,
)
File "/path/to/venv/lib/python3.13/site-packages/urllib3/connection.py", line 920, in _ssl_wrap_socket_and_match_hostname
ssl_sock = ssl_wrap_socket(
sock=sock,
...<8 lines>...
tls_in_tls=tls_in_tls,
)
File "/path/to/venv/lib/python3.13/site-packages/urllib3/util/ssl_.py", line 480, in ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
File "/path/to/venv/lib/python3.13/site-packages/urllib3/util/ssl_.py", line 524, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/nix/store/mk9waz7zbq8hxm6sxhwn88hhcwmgsa84-python3-3.13.3/lib/python3.13/ssl.py", line 455, in wrap_socket
return self.sslsocket_class._create(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
sock=sock,
^^^^^^^^^^
...<5 lines>...
session=session
^^^^^^^^^^^^^^^
)
^
File "/nix/store/mk9waz7zbq8hxm6sxhwn88hhcwmgsa84-python3-3.13.3/lib/python3.13/ssl.py", line 1076, in _create
self.do_handshake()
~~~~~~~~~~~~~~~~~^^
File "/nix/store/mk9waz7zbq8hxm6sxhwn88hhcwmgsa84-python3-3.13.3/lib/python3.13/ssl.py", line 1372, in do_handshake
self._sslobj.do_handshake()
~~~~~~~~~~~~~~~~~~~~~~~~~^^
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1028)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/path/to/venv/lib/python3.13/site-packages/urllib3/connectionpool.py", line 787, in urlopen
response = self._make_request(
conn,
...<10 lines>...
**response_kw,
)
File "/path/to/venv/lib/python3.13/site-packages/urllib3/connectionpool.py", line 488, in _make_request
raise new_e
urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1028)
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "<python-input-3>", line 1, in <module>
client.get_code()
~~~~~~~~~~~~~~~^^
File "/path/to/venv/lib/python3.13/site-packages/kubernetes/client/api/version_api.py", line 61, in get_code
return self.get_code_with_http_info(**kwargs) # noqa: E501
~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^
File "/path/to/venv/lib/python3.13/site-packages/kubernetes/client/api/version_api.py", line 128, in get_code_with_http_info
return self.api_client.call_api(
~~~~~~~~~~~~~~~~~~~~~~~~^
'/version/', 'GET',
^^^^^^^^^^^^^^^^^^^
...<11 lines>...
_request_timeout=local_var_params.get('_request_timeout'),
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
collection_formats=collection_formats)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/path/to/venv/lib/python3.13/site-packages/kubernetes/client/api_client.py", line 348, in call_api
return self.__call_api(resource_path, method,
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
path_params, query_params, header_params,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...<2 lines>...
_return_http_data_only, collection_formats,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
_preload_content, _request_timeout, _host)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/path/to/venv/lib/python3.13/site-packages/kubernetes/client/api_client.py", line 180, in __call_api
response_data = self.request(
method, url, query_params=query_params, headers=header_params,
post_params=post_params, body=body,
_preload_content=_preload_content,
_request_timeout=_request_timeout)
File "/path/to/venv/lib/python3.13/site-packages/kubernetes/client/api_client.py", line 373, in request
return self.rest_client.GET(url,
~~~~~~~~~~~~~~~~~~~~^^^^^
query_params=query_params,
^^^^^^^^^^^^^^^^^^^^^^^^^^
_preload_content=_preload_content,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
_request_timeout=_request_timeout,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
headers=headers)
^^^^^^^^^^^^^^^^
File "/path/to/venv/lib/python3.13/site-packages/kubernetes/client/rest.py", line 244, in GET
return self.request("GET", url,
~~~~~~~~~~~~^^^^^^^^^^^^
headers=headers,
^^^^^^^^^^^^^^^^
_preload_content=_preload_content,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
_request_timeout=_request_timeout,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
query_params=query_params)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/path/to/venv/lib/python3.13/site-packages/kubernetes/client/rest.py", line 217, in request
r = self.pool_manager.request(method, url,
fields=query_params,
preload_content=_preload_content,
timeout=timeout,
headers=headers)
File "/path/to/venv/lib/python3.13/site-packages/urllib3/_request_methods.py", line 135, in request
return self.request_encode_url(
~~~~~~~~~~~~~~~~~~~~~~~^
method,
^^^^^^^
...<3 lines>...
**urlopen_kw,
^^^^^^^^^^^^^
)
^
File "/path/to/venv/lib/python3.13/site-packages/urllib3/_request_methods.py", line 182, in request_encode_url
return self.urlopen(method, url, **extra_kw)
~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^
File "/path/to/venv/lib/python3.13/site-packages/urllib3/poolmanager.py", line 443, in urlopen
response = conn.urlopen(method, u.request_uri, **kw)
File "/path/to/venv/lib/python3.13/site-packages/urllib3/connectionpool.py", line 871, in urlopen
return self.urlopen(
~~~~~~~~~~~~^
method,
^^^^^^^
...<13 lines>...
**response_kw,
^^^^^^^^^^^^^^
)
^
File "/path/to/venv/lib/python3.13/site-packages/urllib3/connectionpool.py", line 871, in urlopen
return self.urlopen(
~~~~~~~~~~~~^
method,
^^^^^^^
...<13 lines>...
**response_kw,
^^^^^^^^^^^^^^
)
^
File "/path/to/venv/lib/python3.13/site-packages/urllib3/connectionpool.py", line 871, in urlopen
return self.urlopen(
~~~~~~~~~~~~^
method,
^^^^^^^
...<13 lines>...
**response_kw,
^^^^^^^^^^^^^^
)
^
File "/path/to/venv/lib/python3.13/site-packages/urllib3/connectionpool.py", line 841, in urlopen
retries = retries.increment(
method, url, error=new_e, _pool=self, _stacktrace=sys.exc_info()[2]
)
File "/path/to/venv/lib/python3.13/site-packages/urllib3/util/retry.py", line 519, in increment
raise MaxRetryError(_pool, url, reason) from reason # type: ignore[arg-type]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='0123456789deadbeef01234567890000.gr7.us-east-1.eks.amazonaws.com', port=443): Max retries exceeded with url: /version/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1028)')))
What you expected to happen:
The exception shouldn't be raised and the call to the Kubernetes API should be made successfully.
How to reproduce it (as minimally and precisely as possible):
Use the latest version of this project with urllib3 v2.4.0 on Python 3.13.
import kubernetes
kubernetes.config.load_config() # Should load a config for an EKS cluster
client = kubernetes.client.VersionApi()
client.get_code()
Anything else we need to know?:
This seems to be caused by the following change in urllib3 v2.4.0: issue, PR, which only takes effect on Python 3.13.
I've only experienced the issue with EKS, which must use self-signed certificates that aren't fully compatible with RFC 5280, notably because they don't provide an Authority Key Identifier.
I don't know if the same issue is the case of other Kubernetes providers.
Environment:
- Kubernetes version (
kubectl version
): v1.32.3-eks-bcf3d70 - OS (e.g., MacOS 10.13.6): macOS 15.4.1
- Python version (
python --version
): 3.13.3 - Python client version (
pip list | grep kubernetes
): 32.0.1