Python Requests Ssl Error - Certificate Verify Failed

Python requests SSL error - certificate verify failed

As already pointed out in a comment: the site has a bad SSL implementation as can be seen from the SSLLabs report. The main part of this report regarding your problem is:

This server's certificate chain is incomplete. Grade capped to B.

This means that the server is not sending the full certificate chain as is needed to verify the certificate. This means you need to add the missing certificates yourself when validating. For this you need to include the PEM for the missing chain certificate C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA and also for the root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA info a file my_trust_store.pem and then you can call:

requests.get("https://...", verify='my_trust_store.pem')

... but I've tried downloading the site's certificate and pointing to that file using the verify option

This will not work with normal leaf certificates. Since the SSL stack of Python is based on OpenSSL and OpenSSL expects only trusted certificate authorities in the trust store (i.e. given with verify) and a server certificate is not CA certificate it will not help to add it to the trust store.

urllib and SSL: CERTIFICATE_VERIFY_FAILED Error

If you just want to bypass verification, you can create a new SSLContext. By default newly created contexts use CERT_NONE.

Be careful with this as stated in section 17.3.7.2.1

When calling the SSLContext constructor directly, CERT_NONE is the default. Since it does not authenticate the other peer, it can be insecure, especially in client mode where most of time you would like to ensure the authenticity of the server you’re talking to. Therefore, when in client mode, it is highly recommended to use CERT_REQUIRED.

But if you just want it to work now for some other reason you can do the following, you'll have to import ssl as well:

input = input.replace("!web ", "")      
url = "https://domainsearch.p.mashape.com/index.php?name=" + input
req = urllib2.Request(url, headers={ 'X-Mashape-Key': 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' })
gcontext = ssl.SSLContext()  # Only for gangstars
info = urllib2.urlopen(req, context=gcontext).read()
Message.Chat.SendMessage ("" + info)

This should get round your problem but you're not really solving any of the issues, but you won't see the [SSL: CERTIFICATE_VERIFY_FAILED] because you now aren't verifying the cert!

To add to the above, if you want to know more about why you are seeing these issues you will want to have a look at PEP 476.

This PEP proposes to enable verification of X509 certificate signatures, as well as hostname verification for Python's HTTP clients by default, subject to opt-out on a per-call basis. This change would be applied to Python 2.7, Python 3.4, and Python 3.5.

There is an advised opt out which isn't dissimilar to my advice above:

import ssl

# This restores the same behavior as before.
context = ssl._create_unverified_context()
urllib.urlopen("https://no-valid-cert", context=context)

It also features a highly discouraged option via monkeypatching which you don't often see in python:

import ssl

ssl._create_default_https_context = ssl._create_unverified_context

Which overrides the default function for context creation with the function to create an unverified context.

Please note with this as stated in the PEP:

This guidance is aimed primarily at system administrators that wish to adopt newer versions of Python that implement this PEP in legacy environments that do not yet support certificate verification on HTTPS connections. For example, an administrator may opt out by adding the monkeypatch above to sitecustomize.py in their Standard Operating Environment for Python. Applications and libraries SHOULD NOT be making this change process wide (except perhaps in response to a system administrator controlled configuration setting).

If you want to read a paper on why not validating certs is bad in software you can find it here!

python Requests SSL ERROR (certificate verify failed)

It is highly recommended to have a deeper look at the excellent documentation for requests. It has a special chapter about SSL Cert Validation which explains:

You can pass verify the path to a CA_BUNDLE file or directory with certificates of trusted CAs:

>>> requests.get('https://github.com', verify='/path/to/certfile')

Assuming that your server certificate was signed by your ca.crt you should use this for the verify parameter.

EDIT: based on the discussion it looks like that CA and server certificate used the same subject. This means that the certificate validation assumes that this is a self-signed certificate which thus results in an certificate validation error.

Getting SSL: CERTIFICATE_VERIFY_FAILED when using proxy with python requests

If you have a copy of the self-signed certificate and key you can modify the code as follow:

proxies = {
    'http': 'http://127.0.0.1:24000',
    'https': 'http://127.0.0.1:24000',
}

certificate_path = os.path.join(CACERT_PATH, 'cacert.pem')
key_path = os.path.join(CACERT_KEY, 'cacert.key')

resp = requests.get('https://api.myip.com',
                    proxies=proxies,
                    cert=(certificate_path, key_path))
print(resp.text)

python requests 'certificate verify failed' for a specific SNI certificate

... but the snippet above gives me the generic SSL failure exception ...

 ...'tls_process_server_certificate', 'certificate verify failed')],)",),))

Actually, this is not a generic SSL failure. It clearly fails because it could not verify the certificate. And the reason is not SNI vs. non-SNI since SNI is used by default in requests for a long time.

The reason is instead a misconfiguration of the server. From the SSLLabs report:

This server's certificate chain is incomplete. Grade capped to B.

 

Chrome/Firefox browsers open this site up, no problem ...

Desktop browsers usually work around successfully this type of common misconfiguration, for example by caching intermediate certificates from other connections and using these to fill in missing parts of the certificate chain. But if you try for example a Firefox with a fresh profile you'll get the same kind of SSL problems.

Python requests SSL certificate verification fails, even after adding CA certificates

You need to install pyopenssl and ndg-httpsclient

See using requests with TLS doesn't give SNI support for more details


Related Topics

Why Is the Borg Pattern Better Than the Singleton Pattern in Python

Django Sending Email

How to Escape Curly-Brackets in F-Strings

Difference Between Type(Obj) and Obj._Class_

How to Re Import an Updated Package While in Python Interpreter

Curl Alternative in Python

Access Memory Address in Python

Delete File from Zipfile with the Zipfile Module

Builtin Function Not Working with Spyder

Proxy Awareness with Pip

Compare Two CSV Files and Search for Similar Items

How to Open a Website with Urllib via Proxy in Python

Printing Utf-8 in Python 3 Using Sublime Text 3

Get Timezone from City in Python/Django

How to Apply a Function on Every Row on a Dataframe

Using Lxml and Iterparse() to Parse a Big (+- 1Gb) Xml File

Getting the Index of a Row in a Pandas Apply Function

Why Is the Value of _Name_ Changing After Assignment to Sys.Modules[_Name_]


Leave a reply



Submit