29

I have a large number of file download links in a txt file. I am trying to write a python script to download all the files at once, but I end up with the following error:

SSLError: [Errno 1] _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The file is being downloaded via intranet.

I tried to download the file via browser and I got a pop up with some certificate. I tried to google it but didn't find a way to solve this.

tshepang
  • 12,111
  • 21
  • 91
  • 136
Sangamesh
  • 435
  • 3
  • 8
  • 19

7 Answers7

20

The server certificate is invalid, either because it is signed by an invalid CA (internal CA, self signed,...), doesn't match the server's name or because it is expired.

Either way, you need to find how to tell to the Python library that you are using that it must not stop at an invalid certificate if you really want to download files from this server.

Remi Gacogne
  • 4,655
  • 1
  • 18
  • 22
  • You're welcome. If it solves your problem, please mark the answer as accepted. Anyway I wish you good luck. – Remi Gacogne Jun 13 '13 at 14:24
  • I tried to find out a way based on what u suggested but dint find find anything that could solve my problem. If i try to download the file by chrome its shows a single sign on certificate validation pop up.. Do u think this could be the problem?? thanks – Sangamesh Jun 17 '13 at 09:06
  • Not likely, no. Either the pop-up is an applicative one, and your python script does not seem to get this far, or it is a SSL client certificate request and it happen after the SSL server verification, which clearly fails. So no, I don't think so. Could you get a trace with ssldump or wireshark/tcpdump ? – Remi Gacogne Jun 17 '13 at 12:55
17

Experienced this myself when using requests:

This is extremely insecure; use only as a last resort! (See rdlowrey's comment.)

requests.get('https://github.com', verify=True)

Making that verify=False did the trick for me.

Aasmund Eldhuset
  • 37,289
  • 4
  • 68
  • 81
Stevenm
  • 267
  • 2
  • 2
  • 49
    This is very much a **suboptimal** approach. Simply disabling peer verification is extraordinarily insecure and leaves you wide open to Man-in-the-Middle attacks. This is *not* a "solution." –  Jan 01 '14 at 16:44
  • 6
    Sure, but sometimes you have no choice. – Luke Sneeringer May 02 '14 at 15:32
  • I've no choice other than this solution. – Hassan Raza Jan 04 '16 at 09:23
  • 1
    definetly the best solution when you have "no choice".. in my case i was requesting info from a third party web service that had their certificate expired. – psychok7 Jun 16 '16 at 14:42
17

Got this issue today and after wandering for several hours just came to know that my server datetime was wrong.

So first please check your server datetime before going so deep in this issue.

also try doing

>> sudo update-ca-certificates
Hemant_Negi
  • 1,910
  • 1
  • 20
  • 25
3

Got this same error recently in a python app using requests on ubuntu 14.04LTS, that I thought had been running fine (maybe it was and some update occurred). Doing the steps below fixed it for me:

pip install --upgrade setuptools
pip install -U requests[security]

Here is a reference: https://stackoverflow.com/a/39580231/996117

JimJty
  • 1,169
  • 12
  • 16
1

could also happen when your local time is off (e.g. before certificate validation time), this was the case in my error...

Stef
  • 11
  • 1
0

I've experienced the same issue because of certifi library. Installing a different version helped me as well.

desertkun
  • 1,027
  • 10
  • 19
0

Normally updating certifi and/or the certifi cacert.pem file would work. I also had to update my version of python. Vs. 2.7.5 wasn't working because of how it handles SNI requests.

Once you have an up to date pem file you can make your http request using:

requests.get(url, verify='/path/to/cacert.pem')

ajon
  • 7,868
  • 11
  • 48
  • 86