SSL verification error/rest calls in scripting, perspective

Sabhareeswaran_Ravi · March 21, 2023, 6:55am

I tried to fetch data using restApi(using GET call), the thing is we have added a wildcard certificate to our platform which provides this API to access. I believe due to this, I am not able to retrieve any data Ignition throws an error as follows,

Error running action 'dom.onClick' on test@C/root/XYChart: Traceback (most recent call last): File "<function:runAction>", line 11, in runAction File "<function:runAction>", line 11, in runAction at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.send(JythonHttpClient.java:103) at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.get(JythonHttpClient.java:306) at jdk.internal.reflect.GeneratedMethodAccessor144.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.base/java.lang.reflect.Method.invoke(Unknown Source) java.io.IOException: java.io.IOException:

Are there any arguments like verify = False to skip the SSL verification or any other workarounds to add the certificate to Ignition's trusted certificate store?
Help would be appreciated

mpoulsen921 · March 21, 2023, 7:00am

Hi Sab

Try have a look at the function system.net.httpGet - Ignition User Manual 8.1 - Ignition Documentation.
It has a boolean flag to bypass certification validation.

Sabhareeswaran_Ravi · March 22, 2023, 11:23am

Hi Mpoulsen92,

thank you so much for your reply. Indeed it helped me a lot...
By any chance can we customize the logs which are triggered by the default mechanism?
because If I bypass SSL it triggers the log each time.

PGriffith · March 22, 2023, 3:15pm

No, because it's just a logger, and it's not wrong.

If you have a custom certificate to trust, the right way to go about things is to add it to your local environment trust store (the gateway/designer/vision client). Bypassing all SSL verification is a completely different, much wider security opening than simply accepting one specific certificate.
https://docs.inductiveautomation.com/display/DOC81/Security+Certificates#SecurityCertificates-AddingSecurityCertificatesintoKeyStores

Also note: system.net.httpGet is 'soft' deprecated and likely to be fully deprecated in 8.3. system.net.httpClient() is superior in basically every way, and has a corresponding bypass_cert_validation flag that will do the same disabling of all SSL verification (with the same warning in the logs).

Sabhareeswaran_Ravi · March 23, 2023, 11:09am

Thank you so much for the docs links. @PGriffith

I am new to Ignition development, are there any official pages we can track/be aware of any changes like deprecation of APIs?

Jonathan_Hall · February 27, 2025, 1:22pm

why deprecated the httpget ? its lightweight compared to httpclient.

we use it a lot in tag script and im a bit concerned about the performance hit that this change would have on our server

pturmel · February 27, 2025, 1:28pm

The hit is mitigated by following the advice in that caution. Do not call system.net.httpClient() for every request. Create a long-lived instance, and only use the .get() or .post() (or whatever) method per request.

Then the performance should be better than httpGet.

(If you are doing any of this in tag event scripts, you are seriously screwing up, and risk locking up all of your tag event scripting. Use gateway tag change events in a project for anything that reaches out across a network.)