Network Configuration¶
Argo, more percisely, the Argo gateway API, is
- an internal service behind Argonne's firewall.
- at the moment, only accessible from certain ANL hosts.
These two conditions combined mean that there might be some network configuration required to use the Argo service. Here are some common scenarios:
Scenario 1: On Argonne Campus¶
You are (physically, or virtually) on Argonne's campus. First thing to do is to figure out if your machine/host can reach the Argo gateway API. You can do this by one of the following:
curl --max-time 5 https://apps.inside.anl.gov/argoapi/api/v1/resource/embed/to see if it returns a JSON response.- open a browser and navigate to
https://apps.inside.anl.gov/argoapi/api/v1/resource/embed/to see if it returns something.
If you can reach the Argo gateway API¶
A successful response may look like this:
Then you are good to set up the Argo proxy by following the installation guide.
If you cannot reach the Argo gateway API¶
It's possible that your machine/host is not configured to access Argo API service. Now you have two options:
- Submit a vector ticket to set up a firewall conduit for your machine/host. Instructions for the ticket:
Description: "Need access to the Argo Gateway API endpoints."
Object Group Information: Select "BIS_Argo_Access" from the drop-down menu
Object-Group Additions: Click [Add] button
Pop-up window: IP Address or Network: Enter IP address.
Repeat the process to add more than one IP address.
- Deploy the Argo proxy on another machine that can reach the Argo gateway API. Access the proxy via its IP address or hostname. For example, deploying on port 44497 of an ANL machine would give URLs like
http://some_machine.cels.anl.gov:44497orhttp://some_machine:44497.
Scenario 2: Off Argonne Campus¶
If you are off Argonne campus, you can use either of the following methods to access the Argo gateway API:
- VPN: Connect to Argonne VPN and then follow the steps in Scenario 1.
- SSH tunnel: Set up an SSH tunnel to a machine on Argonne campus that can reach the Argo gateway. Make sure that machine you tunnel to is able to reach the Argo gateway API, by following the steps in Scenario 1.
Candidate machines might be the Windows/Linux PC, Mac in your office, or some server you have access to.
Good luck!
Troubleshooting: SSL Certificate Errors on macOS¶
Symptom¶
Python scripts that make HTTPS requests to the Argo API fail with errors like:
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] ...>
Yet the same URL works fine with curl in the terminal.
Why This Happens¶
Python on macOS does not use the system certificate store by default. When you install Python from python.org or via Homebrew, its ssl module ships with an empty or incomplete certificate bundle. This means Python cannot verify the TLS certificate chain for HTTPS connections — even though macOS itself (and therefore curl) trusts those certificates.
This issue does not affect Linux, where Python's ssl module uses the system CA bundle (/etc/ssl/certs/) automatically.
Fix¶
Install the certifi package, which provides Mozilla's curated CA bundle, then point Python's ssl module to it via an environment variable:
# 1. Install certifi
pip install certifi
# 2. Set the environment variable (add to ~/.zshrc for persistence)
echo 'export SSL_CERT_FILE=$(python3 -c "import certifi; print(certifi.where())")' >> ~/.zshrc
source ~/.zshrc
Once set, all Python programs — including argo-proxy — will use the correct certificate bundle. No code changes required.
Verifying the Fix¶
python3 -c "
import urllib.request, json
url = 'https://app.inside.anl.gov/argoapi/v1/models'
with urllib.request.urlopen(url) as r:
print(json.loads(r.read().decode()))
"
If this prints a JSON response, the fix is working.