The SSL connect error with code 35 typically occurs when trying to establish secure HTTPS connections to Gurobi services
- Gurobi Web License Service (WLS)
- Gurobi Instant Cloud
- License retrieval with grbgetkey
This error is commonly related to SSL/TLS certificate validation issues, particularly certificate revocation checking failures.
Common Error Messages
Users may encounter variations of this error:
SSL connect error (code 35, command POST ...)Gurobi Error 10022: schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. (code 35, command POST ...)Communication failed, check your network connection or set variable HTTPS_PROXY if you need a proxyRecv failure: Connection was reset (code 35, command POST https://token.gurobi.com/api/v1/tokens)
Root Causes
The error typically stems from:
- Network connectivity issues: Cannot reach Certificate Revocation List (CRL) or OCSP servers
- Firewall/proxy restrictions: Corporate firewalls blocking revocation checking URLs
- Certificate revocation checking failures: Windows Schannel cannot verify if SSL/TLS certificates have been revoked
- DNS resolution problems: Cannot resolve revocation server addresses
- Offline environments: No internet access to check certificate revocation status
Troubleshooting Steps
Step 1: Check Network Connectivity
- Verify internet connection: Ensure your computer can access the internet
-
Test Gurobi URLs: Try accessing these URLs in a browser:
- https://token.gurobi.com (for WLS users)
- https://license.gurobi.com (for WLS users)
- https://portal.gurobi.com (for grbgetkey users)
- https://cloud.gurobi.com (for Instant Cloud users)
-
Test with curl: Run these commands to test connectivity:
curl -v https://cloud.gurobi.com curl -v https://token.gurobi.com
-
Compare with other HTTPS sites: Test with a different HTTPS site:
curl -v https://google.com
Step 2: Check Certificate Revocation URLs
Verify that your firewall is not blocking certificate revocation checking URLs:
- CA Issuers: http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl
- OCSP Responder: http://status.geotrust.com
Step 3: Configure Proxy Settings (if applicable)
If your network uses a proxy, set these system environment variables:
HTTPS_PROXY=http://<proxy-address>:<port> HTTP_PROXY=http://<proxy-address>:<port>
Or with authentication:
HTTPS_PROXY=http://<username>:<password>@<proxy-address>:<port> HTTP_PROXY=http://<username>:<password>@<proxy-address>:<port>
Step 4: Firewall Rules
Contact your IT department to:
-
Whitelist required URLs:
- https://token.gurobi.com (port 443)
- https://license.gurobi.com (port 443)
- https://portal.gurobi.com (port443, for grbgetkey)
- https://cloud.gurobi.com (port 443, for Instant Cloud)
-
Allow certificate revocation checking URLs:
- http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl (port 80)
- http://status.geotrust.com (port 80)
- Configure firewall rules: Ensure domain names are whitelisted rather than IP addresses, as Gurobi uses multiple servers for redundancy and IP addresses may change.
Step 5: Enable Verbose Logging
Set the system environment variable to get detailed connection information:
GRB_CURLVERBOSE=1
Step 6: Disable Certificate Revocation Checking
If the other steps don't work, you can disable revocation checking by setting the system environment variable:
GRB_NO_REVOKE=1
Starting with Gurobi v12.0.2, this is already disabled by default.