Private instance InsecureRequestWarning: Unverified HTTPS request is being made

Hi,

We’ve been running a private instance on docker for a long time on-premises expanding to two datacenters in different geographic locations. Today we migrated the server to a swarm cluster on aws and left the agents on the old infrastructure to have localized tests. I split the docker-compose file in three parts, one for the server that is now running on the swarm cluster on aws (updated to run as a stack on swarm), and two docker-compose files for each of the agent locations. For the server we use letsecncrypt certificates that were correctly generated on the swarm cluster on aws (using a traefik load balancer) after pointing the private instance DNS name to the new location, but on the agent logs I’m seeing this error:

19:41:12.891 - Starting new HTTPS connection (1): wpt.xxxx.com:443 agent-pe_1 | /usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py:988: InsecureRequestWarning: Unverified HTTPS request is being made to host 'wpt.xxxxx.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings

Which is weird as the ssl certificate is valid from letsencrypt, no errors when going to the private instance web interface. The tests seem to work fine on one of the agents, but on the other one we get a broken waterfall image on the first view for some tests, or “First View: Test Data Missing” on others, which I’m not sure if this has anything to do with this error.

Both agents use the same docker configuration which did not change when they got split into separate files, same agent docker images and are running on the same hosts as before, so I really don’t get why now some of the tests have this problem. How can I start to debug this ? agent logs are lengthy and don’t I know what to look for on them.

Thanks in advance for any pointers.
[hr]
This is the docker-compose file of the agent with issues:

version: "2" services: agent-pe: image: webpagetest/agent init: true shm_size: 256mb environment: SERVER_URL: https://wpt.xxxxx.com/work/ LOCATION: desktop_lima EXTRA_ARGS: "-m debug --checknet yes --log /debug.log -vvvv" volumes: - "/etc/localtime:/etc/localtime:ro" cap_add: - NET_ADMIN privileged: true restart: "always"

I went back to the old setup on the on-premises servers and noticed that the same sites I thought were not having this issue before have it too, the broken waterfall image on the first view. Doing some testing I noticed that when I send a test with first view only then the waterfall works, but not when first and repeat views are selected they do not.

The agent that works fine is on the same server than the wpt server, the failing one is on another server in another datacenter in another country, same hardware and dedicated to run the agent only. The only difference in configuration between the two agents is that the agent local to the wpt server uses SERVER_LOCATION=http://server/work/ (where server is the name of the wpt server docker container) and the remote one uses SERVER_LOCATION=https://wpt.xxxx.com/work/ (the wpt server public domain name).

I also tested chainging SERVER_LOCATION on the local agent to the public hostname and I also get the same “InsecureRequestWarning: Unverified HTTPS request is being made” warning but the tests work fine, so it seems the issue with the waterfall is not related to this, althought is very weird having this warning with perfectly valid ssl certificates.

Any clues ?

Here are the logs of the failing agent if anyone cares to take a look.