ChromeDriver ERR_SSL_PROTOCOL_ERROR despite –ignore-certificate-errors
Question:
I’m trying to run integration tests on a local host (with no HTTPS) using selenium with ChromeDriver.
Chrome requires an https certificate, but from this question i understand that i can circumvent this using the arg --ignore-certificate-errors
I have also added to my capabilities acceptInsecureCerts, as this seems like the appropriate course of action (docs)
The response from the chromedriver is still not what I was expecting:
This site can’t provide a secure connection app sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
My code is below:
from selenium import webdriver
from selenium.webdriver.chrome.options import Options
# make options (principally to ignore certificate)
options = webdriver.ChromeOptions()
options.add_argument('--ignore-certificate-errors')
# add acceptInsecureCerts
capabilities = options.to_capabilities()
capabilities['acceptInsecureCerts'] = True
print(capabilities) # see below
driver = webdriver.Remote(
command_executor=SELENIUM_HUB,
desired_capabilities=capabilities
)
print(driver.__dict__) # see further below
app_login_url = 'http://app:8000/accounts/login/'
driver.get(app_login_url)
My capabilities:
{'acceptInsecureCerts': True,
'browserName': 'chrome',
'goog:chromeOptions': {'args': ['--ignore-certificate-errors'],
'extensions': []},
'platform': 'ANY',
'version': ''}
Here is my driver info, it looks like only the acceptInsecureCerts arg has been taken into account:
{'_file_detector': <selenium.webdriver.remote.file_detector.LocalFileDetector object at 0x7fb42bde10f0>,
'_is_remote': True,
'_mobile': <selenium.webdriver.remote.mobile.Mobile object at 0x7fb42bb5e400>,
'_switch_to': <selenium.webdriver.remote.switch_to.SwitchTo object at 0x7fb42bdd4898>,
'capabilities': {'acceptInsecureCerts': True,
'acceptSslCerts': True,
'applicationCacheEnabled': False,
'browserConnectionEnabled': False,
'browserName': 'chrome',
'chrome': {'chromedriverVersion': '74.0.3729.6 '
'(255758eccf3d244491b8a1317aa76e1ce10d57e9-refs/branch-heads/3729@{#29})',
'userDataDir': '/tmp/.com.google.Chrome.vc1ZvB'},
'cssSelectorsEnabled': True,
'databaseEnabled': False,
'goog:chromeOptions': {'debuggerAddress': 'localhost:40815'},
'handlesAlerts': True,
'hasTouchScreen': False,
'javascriptEnabled': True,
'locationContextEnabled': True,
'mobileEmulationEnabled': False,
'nativeEvents': True,
'networkConnectionEnabled': False,
'pageLoadStrategy': 'normal',
'platform': 'Linux',
'proxy': {},
'rotatable': False,
'setWindowRect': True,
'strictFileInteractability': False,
'takesHeapSnapshot': True,
'takesScreenshot': True,
'timeouts': {'implicit': 0,
'pageLoad': 300000,
'script': 30000},
'unexpectedAlertBehaviour': 'ignore',
'version': '74.0.3729.169',
'webStorageEnabled': True,
'webdriver.remote.sessionid': '1cf77f237e966bac6ca15d4d9c107423'},
'command_executor': <selenium.webdriver.remote.remote_connection.RemoteConnection object at 0x7fb42be0cf98>,
'error_handler': <selenium.webdriver.remote.errorhandler.ErrorHandler object at 0x7fb427d08a20>,
'session_id': '1cf77f237e966bac6ca15d4d9c107423',
'w3c': False}
Why am i still seeing the ERR_SSL_PROTOCOL_ERROR ?
Answers:
According to Fix “Aw, Snap!” page crashes and other page loading errors – Computer – Google Chrome Help (expand the “Page loading error codes and issues” section), Chrome gives ERR_SSL_PROTOCOL_ERROR for ANY SSL-related error. This includes:
- certificate errors
- connection parameters negotiation failures (e.g. TLS version and stream encryption to use)
- protocol violations by the peer
Since you can’t get any more details from Chrome, opening the page in another app (e.g. Firefox or with openssl s_client) could give you more details on what’s happening.
Sniffing packets with e.g. Wireshark can show the initial stages of the connection including the negotiation stage; if the server is yours (so you have its private key), you will also be able to decrypt the encrypted parts — which would give you the full picture.
This error message…
This site can’t provide a secure connection app sent an invalid response. ERR_SSL_PROTOCOL_ERROR
…implies that the ChromeDriver was unable to initiate/spawn a new WebBrowser i.e. Chrome Browser session on your localhost.
As you are seeing this issue on your local host (with no HTTPS) as per this comment a blind fold solution would be to add the argument --allow-insecure-localhost through chromeOptions() as follows:
'goog:chromeOptions': {'args': ['--allow-insecure-localhost'],
'extensions': []}
However your main issue seems to be with the capabilities where you have set platform being set s ANY as follows:
{'acceptInsecureCerts': True,
'browserName': 'chrome',
'goog:chromeOptions': {'args': ['--ignore-certificate-errors'],
'extensions': []},
'platform': 'ANY',
'version': ''}
As per WebDriver – W3C Living Document the platformName section mentions, the following platform names are in common usage with well-understood semantics and, when matching capabilities, greatest interoperability can be achieved by honoring them as valid synonyms for well-known Operating Systems:
Key System
--- ------
"linux" Any server or desktop system based upon the Linux kernel.
"mac" Any version of Apple’s macOS.
"windows" Any version of Microsoft Windows, including desktop and mobile versions.
Note:This list is not exhaustive.
When returning capabilities from New Session, it is valid to return a more specific platformName, allowing users to correctly identify the Operating System the WebDriver implementation is running on.
So instead of passing "platform":"ANY" within the desiredCapabilities object, a more specific "platform":"linux" will be more desirable approach.
You can find a relevant and related discussion in Curl error thrown for http POST to /session with params: {“desiredCapabilities”:{“browserName”:“chrome”,“platform”:“ANY” with Selenium and PHPUnit
Some more information about the ChromeDriver, Chrome and Selenium Client vrsion would have helped us to analyze the issue in a better way. However as per ChromeDriver history the following issues related to handling of certificate errors were addressed in the last few releases of ChromeDriver:
- Allow handling certificate errors via DevTools: As the headless chrome cannot show a UI warning for SSL certificate errors a fix was released to expose the errors as DevTools events and control the action to take through a DevTools command.
- Provide ability to handle certificate errors in Chromedriver/Selenium for headless: Earlier certain security related options that was controlled via CLI switches in the UI version of Chromium (like
--ignore-certificate-errors) were silently ignored and can only be set via devtools. So it was necessary to override and handle certificateError events on the browser-target DevTools client. A fix was released implementing the usage of the new DevTools method to override certificate error handling browser-wide which allowed ignoring certificate errors in headless mode too.
- Global certificate error handling via DevTools: Previously DevTools allowed handling certificate errors for individual targets / WebContents, but when a new target was created (e.g. clicking on a target=_blank link), it was not often not possible to send the
Security.enable / Security.setOverrideCertificateErrors commands quickly enough before a navigation is attempted. A fix was published with a simpler “ignore all cert errors” mode instead deprecated the old override command in favor of a new setIgnoreCertificateErrors command which also exposes the Security domain on the browser target to facilitate applying this override globally for the whole browser.
Conclusion
- Ensure that the following arguments/capabilities are added:
--allow-insecure-localhostacceptInsecureCerts--ignore-certificate-errors
- As you are using
'chromedriverVersion': '74.0.3729.6' ensure that you are also using 'chrome': '74.0' (as per ChromeDriver v74.0.3729.6 Release Notes)
- Ensure that you are using the latest released Selenium v3.141.59 clients.
You are requesting the page through HTTP and not HTTPS. Chrome will not connect to an insecure HTTP server.
This is causing the TLS/SSL negotiation to fail.
You need to make sure your server is running HTTPS on TCP port 8000.
With the --ignore-certificate-errors option you can generate a self-signed certificate and apply that to the web server.
Then change the url line to use HTTPS.
app_login_url = 'https://app:8000/accounts/login/'
I was facing this issue on MAC, adding chrome option didn’t solve it.
Following workaround solved problem for me:
- Navigate to
/usr/local/lib/python/site-packages/seleniumwire/proxy
- Double click
ca.crt file
- In the
Keychain Access app double click on Selenium Wire CA certificate
- Expand the
Trust Tree
- Select
Always Trust option from the dropdown
- Authenticate with password
In case someone stumbles on this while searching for the nodejs answer it is similar…
import * as chromey from 'selenium-webdriver/chrome.js';
const chromeOptions = new chromey.Options();
chromeOptions.addArguments(
'--ignore-certificate-errors',
'--no-sandbox',
// '--headless',
'disable-gpu',
);
const driver = new Builder()
.forBrowser('chrome')
.setChromeOptions(chromeOptions)
.setCapability("acceptInsecureCerts", true)
.build();
I’m trying to run integration tests on a local host (with no HTTPS) using selenium with ChromeDriver.
Chrome requires an https certificate, but from this question i understand that i can circumvent this using the arg --ignore-certificate-errors
I have also added to my capabilities acceptInsecureCerts, as this seems like the appropriate course of action (docs)
The response from the chromedriver is still not what I was expecting:
This site can’t provide a secure connection app sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
My code is below:
from selenium import webdriver
from selenium.webdriver.chrome.options import Options
# make options (principally to ignore certificate)
options = webdriver.ChromeOptions()
options.add_argument('--ignore-certificate-errors')
# add acceptInsecureCerts
capabilities = options.to_capabilities()
capabilities['acceptInsecureCerts'] = True
print(capabilities) # see below
driver = webdriver.Remote(
command_executor=SELENIUM_HUB,
desired_capabilities=capabilities
)
print(driver.__dict__) # see further below
app_login_url = 'http://app:8000/accounts/login/'
driver.get(app_login_url)
My capabilities:
{'acceptInsecureCerts': True,
'browserName': 'chrome',
'goog:chromeOptions': {'args': ['--ignore-certificate-errors'],
'extensions': []},
'platform': 'ANY',
'version': ''}
Here is my driver info, it looks like only the acceptInsecureCerts arg has been taken into account:
{'_file_detector': <selenium.webdriver.remote.file_detector.LocalFileDetector object at 0x7fb42bde10f0>,
'_is_remote': True,
'_mobile': <selenium.webdriver.remote.mobile.Mobile object at 0x7fb42bb5e400>,
'_switch_to': <selenium.webdriver.remote.switch_to.SwitchTo object at 0x7fb42bdd4898>,
'capabilities': {'acceptInsecureCerts': True,
'acceptSslCerts': True,
'applicationCacheEnabled': False,
'browserConnectionEnabled': False,
'browserName': 'chrome',
'chrome': {'chromedriverVersion': '74.0.3729.6 '
'(255758eccf3d244491b8a1317aa76e1ce10d57e9-refs/branch-heads/3729@{#29})',
'userDataDir': '/tmp/.com.google.Chrome.vc1ZvB'},
'cssSelectorsEnabled': True,
'databaseEnabled': False,
'goog:chromeOptions': {'debuggerAddress': 'localhost:40815'},
'handlesAlerts': True,
'hasTouchScreen': False,
'javascriptEnabled': True,
'locationContextEnabled': True,
'mobileEmulationEnabled': False,
'nativeEvents': True,
'networkConnectionEnabled': False,
'pageLoadStrategy': 'normal',
'platform': 'Linux',
'proxy': {},
'rotatable': False,
'setWindowRect': True,
'strictFileInteractability': False,
'takesHeapSnapshot': True,
'takesScreenshot': True,
'timeouts': {'implicit': 0,
'pageLoad': 300000,
'script': 30000},
'unexpectedAlertBehaviour': 'ignore',
'version': '74.0.3729.169',
'webStorageEnabled': True,
'webdriver.remote.sessionid': '1cf77f237e966bac6ca15d4d9c107423'},
'command_executor': <selenium.webdriver.remote.remote_connection.RemoteConnection object at 0x7fb42be0cf98>,
'error_handler': <selenium.webdriver.remote.errorhandler.ErrorHandler object at 0x7fb427d08a20>,
'session_id': '1cf77f237e966bac6ca15d4d9c107423',
'w3c': False}
Why am i still seeing the ERR_SSL_PROTOCOL_ERROR ?
According to Fix “Aw, Snap!” page crashes and other page loading errors – Computer – Google Chrome Help (expand the “Page loading error codes and issues” section), Chrome gives ERR_SSL_PROTOCOL_ERROR for ANY SSL-related error. This includes:
- certificate errors
- connection parameters negotiation failures (e.g. TLS version and stream encryption to use)
- protocol violations by the peer
Since you can’t get any more details from Chrome, opening the page in another app (e.g. Firefox or with openssl s_client) could give you more details on what’s happening.
Sniffing packets with e.g. Wireshark can show the initial stages of the connection including the negotiation stage; if the server is yours (so you have its private key), you will also be able to decrypt the encrypted parts — which would give you the full picture.
This error message…
This site can’t provide a secure connection app sent an invalid response. ERR_SSL_PROTOCOL_ERROR
…implies that the ChromeDriver was unable to initiate/spawn a new WebBrowser i.e. Chrome Browser session on your localhost.
As you are seeing this issue on your local host (with no HTTPS) as per this comment a blind fold solution would be to add the argument --allow-insecure-localhost through chromeOptions() as follows:
'goog:chromeOptions': {'args': ['--allow-insecure-localhost'],
'extensions': []}
However your main issue seems to be with the capabilities where you have set platform being set s ANY as follows:
{'acceptInsecureCerts': True,
'browserName': 'chrome',
'goog:chromeOptions': {'args': ['--ignore-certificate-errors'],
'extensions': []},
'platform': 'ANY',
'version': ''}
As per WebDriver – W3C Living Document the platformName section mentions, the following platform names are in common usage with well-understood semantics and, when matching capabilities, greatest interoperability can be achieved by honoring them as valid synonyms for well-known Operating Systems:
Key System
--- ------
"linux" Any server or desktop system based upon the Linux kernel.
"mac" Any version of Apple’s macOS.
"windows" Any version of Microsoft Windows, including desktop and mobile versions.
Note:This list is not exhaustive.
When returning capabilities from New Session, it is valid to return a more specific platformName, allowing users to correctly identify the Operating System the WebDriver implementation is running on.
So instead of passing "platform":"ANY" within the desiredCapabilities object, a more specific "platform":"linux" will be more desirable approach.
You can find a relevant and related discussion in Curl error thrown for http POST to /session with params: {“desiredCapabilities”:{“browserName”:“chrome”,“platform”:“ANY” with Selenium and PHPUnit
Some more information about the ChromeDriver, Chrome and Selenium Client vrsion would have helped us to analyze the issue in a better way. However as per ChromeDriver history the following issues related to handling of certificate errors were addressed in the last few releases of ChromeDriver:
- Allow handling certificate errors via DevTools: As the headless chrome cannot show a UI warning for SSL certificate errors a fix was released to expose the errors as DevTools events and control the action to take through a DevTools command.
- Provide ability to handle certificate errors in Chromedriver/Selenium for headless: Earlier certain security related options that was controlled via CLI switches in the UI version of Chromium (like
--ignore-certificate-errors) were silently ignored and can only be set via devtools. So it was necessary to override and handlecertificateErrorevents on the browser-target DevTools client. A fix was released implementing the usage of the new DevTools method to override certificate error handling browser-wide which allowed ignoring certificate errors in headless mode too. - Global certificate error handling via DevTools: Previously DevTools allowed handling certificate errors for individual targets / WebContents, but when a new target was created (e.g. clicking on a target=_blank link), it was not often not possible to send the
Security.enable/Security.setOverrideCertificateErrorscommands quickly enough before a navigation is attempted. A fix was published with a simpler “ignore all cert errors” mode instead deprecated the old override command in favor of a newsetIgnoreCertificateErrorscommand which also exposes the Security domain on the browser target to facilitate applying this override globally for the whole browser.
Conclusion
- Ensure that the following arguments/capabilities are added:
--allow-insecure-localhostacceptInsecureCerts--ignore-certificate-errors
- As you are using
'chromedriverVersion': '74.0.3729.6'ensure that you are also using'chrome': '74.0'(as per ChromeDriver v74.0.3729.6 Release Notes) - Ensure that you are using the latest released Selenium v3.141.59 clients.
You are requesting the page through HTTP and not HTTPS. Chrome will not connect to an insecure HTTP server.
This is causing the TLS/SSL negotiation to fail.
You need to make sure your server is running HTTPS on TCP port 8000.
With the --ignore-certificate-errors option you can generate a self-signed certificate and apply that to the web server.
Then change the url line to use HTTPS.
app_login_url = 'https://app:8000/accounts/login/'
I was facing this issue on MAC, adding chrome option didn’t solve it.
Following workaround solved problem for me:
- Navigate to
/usr/local/lib/python/site-packages/seleniumwire/proxy - Double click
ca.crtfile - In the
Keychain Accessapp double click onSelenium Wire CAcertificate - Expand the
TrustTree - Select
Always Trustoption from the dropdown - Authenticate with password
In case someone stumbles on this while searching for the nodejs answer it is similar…
import * as chromey from 'selenium-webdriver/chrome.js';
const chromeOptions = new chromey.Options();
chromeOptions.addArguments(
'--ignore-certificate-errors',
'--no-sandbox',
// '--headless',
'disable-gpu',
);
const driver = new Builder()
.forBrowser('chrome')
.setChromeOptions(chromeOptions)
.setCapability("acceptInsecureCerts", true)
.build();