SSL connect attempt failed

porting successfully running suite to new platform (cylc 7.8.8)

get SSL connect attempt fail below.
cylc runs a perl script that gathers data.
running the perl script from the command line emits no such failure.

the perl versions (across platforms) are different.
other ‘trivial’ suites cycle and behave as normal.

thought I would try the cylc folks first.
thank you.

[2022/02/12 13:27:24] DEBUG: HTTP::Response=HASH(0x55e01ba08620)

$VAR1 = 'Can’t connect to xxxx.xxxxx.xxxx.xxx:443 (certificate verify failed)

SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /usr/lib/perl5/vendor_perl/5.26.1/LWP/Protocol/http.pm line 50.’;

[2022/02/12 13:27:24] WARN: WARNING: website cannot be reached: HTTP::Response=HASH(0x55e01ba08620)->status_line

Can’t connect to xxxx.xxxxx.xxxx.xxx:443 (certificate verify failed)"

To make sure I understand:

In a Cylc task you’re running a Perl script that makes an ssh connection to another host. The Perl script runs successfully at the command line, but the ssh fails when run in the Cylc task?

The are several differences between running an executable in a Cylc task and running it in a terminal. In the Cylc case:

  • task jobs can be submitted to another host (if you configure that)
  • task jobs can be submitted to a batch system such as PBS (if you configure that)
  • the task job environment may be detached from the suite environment, in which case environment variables required by your script must be explicitly set in the task definition, or come from your bash login scripts (sourced when running the task job, by default)

If you are running the Perl script on the same host (by command line or Cylc) then I’d check the environment. e.g. type printenv at the terminal, and add the same to your task definition, and compare the result.

by use of printenv, and a few simpler ‘toy’ examples, I was able to track
the issue, not to cylc (no surprise), but rather, to a missing perl module
(Mozilla::CA) on the new system.

fwiw; LWP after version 6.0.1, assumes host verification as the default.