Certificate Verify Failed: Unable to Get Local Issuer Certificate

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))

exchangelib uses requests to do the actual HTTP requests. This means you can set the REQUESTS_CA_BUNDLE environment variable. See How to force requests use the certificates on my ubuntu system

Unable to get local issuer certificate when using requests in python

It's not recommended to use verify = False in your organization's environments. This is essentially disabling SSL verification.

Sometimes, when you are behind a company proxy, it replaces the certificate chain with the ones of Proxy. Adding the certificates in cacert.pem used by certifi should solve the issue. I had similar issue. Here is what I did, to resolve the issue -

  1. Find the path where cacert.pem is located -

Install certifi, if you don't have. Command: pip install certifi

import certifi
certifi.where()
C:\\Users\\[UserID]\\AppData\\Local\\Programs\\Python\\Python37-32\\lib\\site-packages\\certifi\\cacert.pem

  1. Open the URL on a browser. Download the chain of certificates from the URL and save as Base64 encoded .cer files.

  2. Now open the cacert.pem in a notepad and just add every downloaded certificate contents (---Begin Certificate--- *** ---End Certificate---) at the end.

Why do I receive 'unable to get local issuer certificate (_ssl.c:997)'

After a lot of googling I figured out the solution myself:

The problem - so it seems - was not all certificates needed where included in Pythons cacert.pem file. As I indicated in my question above to tackle this I downloaded the certifi module at first. As this didn't work out as well I suppose certifi missed the necessary certificates as well.

But I suppose not all certificates in the certificate where missing. As answers to similar questions indicated as well mostly what is missing is not the entire chain, but only the intermediate certificates.

After:

1. downloading the necessary certificates (see the lock symbol in your browser; if you're on OSX you need to drag and drop the big images of the certificates to your finder or desktop etc.),

2. converting them to .perm files and bundling them together: cat first_cert.pem second_cert.pem > combined_cert.pem

and

3. providing the specific path of the bundled certificates as indicated in my question: verify="private/etc/ssl/certs (you may of course choose a different file path).

my request got accepted by the server.

I guess my mistake when trying this solution was that I didn't download the entire chain at first, but only the last certificate.

I really hope this helps someone else as a point of reference.

What I am still dying to know though, is why the error popped up in the first place. I didn't change my script at all and use it on a regular basis, but suddenly got presented with said error. Was the reason that the server I tried to reach change its certificates?

Apologies if my terminology is incorrect.

SSL: CERTIFICATE_VERIFY_FAILED when using pretrained detectron2 model

Try to put this after your import statements :

import certifi
import ssl

def create_context():
    context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    context.load_verify_locations(certifi.where())
    return context
ssl._create_default_https_context = create_context

This tells urllib to use certifi's certificates.

Python tcp socket with ssl encryption [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)

I changed the client's code to:

context = ssl.create_default_context()
context.verify_mode = ssl.CERT_REQUIRED
context.check_hostname = True

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssock = context.wrap_socket(sock, server_hostname=self.ip)

This way I don't have to hand a certificate file manually over. Instead, it seems like my Windows root certificate library gets scanned and finds my VM´s certificate automatically (since I installed the .cer file).

On the server side, I simply had to pass the certificate.cer file instead of the pem format.
context.load_cert_chain(certfile="cert.cer", keyfile="prKey.pem")

Unable to resolve unable to get local issuer certificate using git on Windows with self-signed certificate

An answer to Using makecert for Development SSL fixed this for me.

I do not know why, but the certificate created by the simple 'Create Self Signed Certificate' link in IIS Manager does not do the trick. I followed the approach in the linked question of creating and installing a self-signed CA Root; then using that to issue a Server Authentication Certificate for my server. I installed both of them in IIS.

That gets my situation the same as the blog post referenced in the original question. Once the root certificate was copy/pasted into curl-ca-bundle.crt the git/curl combo were satisfied.


Related Topics

How to Uninstall a Package Installed with Pip Install --User

Convert Variable Name to String

Boto3 to Download All Files from a S3 Bucket

How to Use Jupyter Notebooks in a Conda Environment

How to Select All Columns Whose Names Start with X in a Pandas Dataframe

Django Templatedoesnotexist

Differencebetween Pylab and Pyplot

Disable Assertions in Python

Comparing Previous Row Values in Pandas Dataframe

How to Check If Code Is Executed in the Ipython Notebook

Check List of Words in Another String

Get Relative Path from Comparing Two Absolute Paths

How to Access Pandas Groupby Dataframe by Key

Process to Convert Simple Python Script into Windows Executable

Removing Index Column in Pandas When Reading a CSV

How to Plot Nan Values as a Special Color with Imshow in Matplotlib

A Very Simple Multithreading Parallel Url Fetching (Without Queue)

Django Return Redirect() with Parameters


Leave a reply



Submit