Getting "[SSL] record layer failure" for while connecting to "iam.cloud.ibm.com" endpoint

[tgujrathi]

When initializing the Cloudant connection via IAM authenticator getting following error at random instances every day.
HTTPSConnectionPool(host='iam.cloud.ibm.com', port=443): Max retries exceeded with url: /identity/token (Caused by SSLError(SSLError(1, '[SSL] record layer failure (_ssl.c:2570)')))

[ricellis]

Please confirm the versions in your environment of
Python
and of the modules (e.g. with pip list)
ibmcloudant
ibm_cloud_sdk_core
requests
urllib3
certifi

[tgujrathi]

Python version: 3.12.7

$ pip list
Package Version
APScheduler 3.10.4
certifi 2024.8.30
charset-normalizer 3.4.0
ibm-cloud-sdk-core 3.21.0
ibmcloudant 0.9.2
idna 3.10
pip 24.2
PyJWT 2.9.0
python-dateutil 2.9.0.post0
pytz 2024.2
requests 2.32.3
six 1.16.0
timeout-decorator 0.5.0
tzlocal 5.2
urllib3 2.2.3

[tgujrathi]

I am also getting error-related connections aborted.
('Connection aborted.', RemoteDisconnected('Remote end closed connection without response')

[ricellis]

I don't think this is specifically a problem with the Cloudant Python SDK. The SSL handshake with IAM fails, but the exact cause of the failure is unclear as the [SSL] bracketed output doesn’t include a specific reason, which it often does.

When initializing the Cloudant connection via IAM authenticator

Are you able to confirm if the problem only happens when initializing or whether it also occurs afterwards e.g. during token renewal as well?

Generally the client instance tends to be long-lived within the context of an application and requests to IAM normally happen at 80% of the token lifetime (around every 48 minutes for the default of 1 hour).
Are you initializing clients very frequently?

at random instances every day.

Are you able to estimate the frequency with which this is occurring either as a proportion of the initializations/renewals or a number per hour/ per day.

I am also getting error-related connections aborted.

This is interesting, because I was suspecting it may be a network problem when trying to contact IAM that gives the first error.
Is your python code running in an environment with an unreliable network or some kind of proxy between it and Cloudant?

[ricellis]

@tgujrathi do you have any further information or answers to the above questions to add here?

Are you able to confirm if the RemoteDisconnected is also for IAM requests or if it is not then for which specific Cloudant requests it occurs?

[ricellis]

I think this might be caused by python/cpython#115627 - since that problem is fixed in Python 3.13 please try to reproduce on Python 3.13.0 or 3.13.1 . If you still have issues please let us know and we'll re-open the issue and investigate some more.