Suppress InsecureRequestWarning: Unverified HTTPS request is being made in Python2.6

Question

I am writing scripts in Python2.6 with use of pyVmomi and while using one of the connection methods:

service_instance = connect.SmartConnect(host=args.ip,
                                        user=args.user,
                                        pwd=args.password)

I get the following warning:

/usr/lib/python2.6/site-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)

What's interesting is that I do not have urllib3 installed with pip (but it's there in /usr/lib/python2.6/site-packages/requests/packages/urllib3/).

I have tried as suggested here

import urllib3
...
urllib3.disable_warnings()

but that didn't change anything.

You might try setting the log level for that specific module as described in this answer http://stackoverflow.com/questions/7234262/how-to-implement-different-levels-for-specific-modules-in-python — Rey Abolofia, Jan 16 '15 at 17:05
A global and completly working solution is there : http://stackoverflow.com/questions/14463277/how-to-disable-python-warnings — jmcollin92, Mar 04 '16 at 12:11
**WARNING:** only disable certificate validation **if you don't care about someone impersonating the remote server!** — ivan_pozdeev, Feb 25 '18 at 13:29
well, the warning doesn't really *prevent* whatever's happening. It's not disabling validation, it's disabling the warning about the lack of validation. — dwanderson, Mar 01 '18 at 21:27

score 1150 · Accepted Answer · edited Jan 06 '19 at 03:26

1150

You can disable any Python warnings via the PYTHONWARNINGS environment variable. In this case, you want:

export PYTHONWARNINGS="ignore:Unverified HTTPS request"

To disable using Python code (requests >= 2.16.0):

import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

For requests < 2.16.0, see original answer below.

Original answer

The reason doing urllib3.disable_warnings() didn't work for you is because it looks like you're using a separate instance of urllib3 vendored inside of requests.

I gather this based on the path here: /usr/lib/python2.6/site-packages/requests/packages/urllib3/connectionpool.py

To disable warnings in requests' vendored urllib3, you'll need to import that specific instance of the module:

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

edited Jan 06 '19 at 03:26

Thiago Figueiro

410
5
15

answered Jan 17 '15 at 18:17

shazow

17,147
1
34
35

I blog about the development I do on pyvmomi and covered this issue back in October 2014. Im just sharing this link to help others find useful pyvmomi info in the future: http://www.errr-online.com/index.php/tag/pyvmomi/ – Michael Rice Jan 31 '15 at 02:30
44

`PYTHONWARNINGS="ignore:Unverified HTTPS request"` – Rahul Patil Oct 20 '15 at 13:55
4

For completeness: `from requests.packages.urllib3.exceptions import InsecureRequestWarning` – propjk007 Jan 19 '16 at 20:56
Why does this work but [this](https://stackoverflow.com/questions/11029717/how-do-i-disable-log-messages-from-the-requests-library) doesnt – Clocker Oct 14 '16 at 19:29
6

This answer is outdated. For a modern version, see Nayana Adassuriya's answer. – Dakkaron Jun 28 '17 at 14:53
4

Copied from Nayana Adassuriya's answer: `import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)`. – Samuel Jul 27 '17 at 12:28
This doesn't work with elasticsearch probably due to context disparity – Coder Guy Apr 04 '18 at 17:12
Is there a way to restore the warning state to the one before `rllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)` was called? Or maybe just disable them on per request basis, i.e. `requests.get(url, disable_warnings=InsecureRequestWarning, **some_args)` – con-f-use Aug 22 '18 at 13:47
saved my day! works with Python 3.6 perfectly! used it to suppress warnings while connecting to aws. – py_ios_dev May 14 '20 at 14:12
@shazow , What happened security point of you, If we setup 'verify=False` with getting warning `Unverified HTTP request..` ? another, If I set `verify=True` then request not work , getting error like `request.exception.SSError..Max retries exceeded with url:` ? which one best solution. – Nullpointer Apr 30 '21 at 07:31
The import worked form: '''import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)''' – Thobs More Jun 23 '21 at 13:43

Nayana Adassuriya · Answer 2 · 2018-07-16T02:36:30.043

174

This is the answer in 2017. urllib3 not a part of requests anymore

import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

edited Jul 16 '18 at 02:36

answered Jun 18 '17 at 14:14

Nayana Adassuriya

23,596
30
104
147

20

The year is less import than the revision number of python you are using. – CodeMonkey Sep 28 '17 at 23:37
5

Yeah, revision more important than year. This is for `requests >= 2.16.0` – dwanderson Jul 06 '18 at 20:13
1

can someone post the version of urllib3, when i try this, it says urllib3 has no attribute 'disable_warnings' – steff_bdh Sep 21 '18 at 12:03
2

I am confused by this response. My `requests` version is `2.21.0` and it has `urllib3`. I tried `2.16.0`, ` 2.16.1`, and ` 2.17.0` and they all had `urllib3`. I tried `2.4.0` and that one did not have it, though. Did they add it back in? – Mike Furlender Feb 05 '19 at 19:40
@MikeFurlender you are confused because the answer is misleading - although `urllib3` is not _vendored_ by `requests` anymore, it still remains a _dependency_ of `requests`. So the import will still resolve fine and one doesn't need to import `urllib3`. To verify: `python -c 'import requests; print(requests.packages.urllib3.__path__)'` will still print path to `urllib3` package. – hoefling Jan 11 '22 at 17:49

score 65 · Answer 3 · edited Apr 26 '18 at 12:01

65

Per this github comment, one can disable urllib3 request warnings via requests in a 1-liner:

requests.packages.urllib3.disable_warnings()

This will suppress all warnings though, not just InsecureRequest (ie it will also suppress InsecurePlatform etc). In cases where we just want stuff to work, I find the conciseness handy.

edited Apr 26 '18 at 12:01

David Ferenczy Rogožan

23,966
9
79
68

answered Jun 30 '17 at 16:13

hamx0r

4,081
1
33
46

5

This is the best option for 2.7 as I don't need to import urllib3 just to suppress the warning – CodeMonkey Sep 28 '17 at 23:35
11

`requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)` seems to work. – mattalxndr Jan 08 '20 at 22:33

ivan_pozdeev · Answer 4 · 2021-02-16T18:36:02.420

50

The HTTPS certificate verification security measure isn't something to be discarded light-heartedly. The Man-in-the-middle attack that it prevents safeguards you from a third party e.g. sipping a virus in or tampering with or stealing your data.
Even if you only intend to do that in a test environment, you can easily forget to undo it when moving elsewhere.

Instead, read the relevant section on the provided link and do as it says. The way specific for requests (which bundles with its own copy of urllib3), as per CA Certificates — Advanced Usage — Requests 2.8.1 documentation:

requests ships with its own certificate bundle (but it can only be updated together with the module)
it will use (since requests v2.4.0) the certifi package instead if it's installed
In a test environment, you can easily slip a test certificate into certifi as per how do I update root certificates of certifi? . E.g. if you replace its bundle with just your test certificate, you will immediately see it if you forget to undo that when moving to production.

Finally, with today's government-backed global hacking operations like Tailored Access Operations and the Great Firewall of China that target network infrastructure, falling under a MITM attack is more probable than you think.

edited Feb 16 '21 at 18:36

answered Nov 15 '15 at 03:43

ivan_pozdeev

33,874
19
107
152

I have requests 2.8.1 and certifi 2015.11.20.1 and I still get the warning. – trusk Dec 09 '15 at 18:53
5

@AlexBartiş this can be if you (or some code that you call) pass `verify=False`. – ivan_pozdeev Dec 10 '15 at 00:07
4

Why are there so few votes for this answer? Is it actually safe to ignore these warnings? – sgryzko Nov 28 '16 at 11:50
2

@sgryzko Only if you don't care about someone impersonating the remote server. Probably, many indeed don't care and/or don't read beyond the first answer, contributing to the positive feedback cycle. This answer was also posted almost a year later. – ivan_pozdeev Nov 28 '16 at 12:47
It's not "the correct answer". It's the "safest general principle" answer. Sometimes you really do mean to disable verification. The consumer needs to be aware of the implications, but it's not incorrect. – mushuweasel Mar 21 '17 at 00:06
@mushuweasel you can suggest an edit if you can think of better wording. – ivan_pozdeev Mar 21 '17 at 04:01
4

Yes, you should do the right thing in a production environment, and blindly suppressing the error is bad. But it is a completely valid thing to want to suppress these errors in a test environment. – Vroo Apr 01 '17 at 00:44
7

If I wanted to be lectured on TLS certificates, I would have followed the link in the error message. – DomQ Apr 25 '20 at 14:07
1

The solution / answer is missing here . There is just links annd disputable opinions. Who may judge what is "correct" without looking at specific usecases? – Wolfgang Fahl Jan 23 '21 at 10:04
Agree with the concept of this answer. I am trying to make https call to a domain using LetsEncrypt cert, already have the latest `certifi` installed (`certifi-2021.10.8`). `curl` does not give me SSL cert warning/error, but python does. Still looking for solution. – ronald8192 Mar 19 '22 at 04:53

score 39 · Answer 5 · answered Aug 26 '19 at 11:33

39

The accepted answer doesn't work if some package vendors it's own copy of urllib3, in which case this will still work:

import warnings

warnings.filterwarnings('ignore', message='Unverified HTTPS request')

answered Aug 26 '19 at 11:33

Egal

1,374
12
22

score 19 · Answer 6 · answered Jul 07 '21 at 03:23

For Python 3.7.9 and requests 2.11.1, this is the only way it worked to suppress the specific Exception in the OP:

import requests
requests.packages.urllib3.disable_warnings(
    requests.packages.urllib3.exceptions.InsecureRequestWarning)

Not sure why the above worked and this one did not:

import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

Here is a simplification of the working version:

from requests.packages import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

... it would appear that the import of urllib3 directly does not contain the same namespace as the one loaded by requests and thus the disable_warnings does not mutate the data structure touched by requests.

This worked like a charm. Just to be sure that the warning came back when the 2nd line was commented. — objectNotFound, Jan 10 '22 at 02:09

score 14 · Answer 7 · answered Jan 04 '18 at 18:45

14

For impatient, a quick way to disable python unverified HTTPS warning:

export PYTHONWARNINGS="ignore:Unverified HTTPS request"

answered Jan 04 '18 at 18:45

Wenbing Li

12,289
1
29
41

For powershell the command is `$env:PYTHONWARNINGS="ignore:Unverified HTTPS request"` – Gwen Au Nov 20 '19 at 06:14

score 8 · Answer 8 · edited Nov 18 '21 at 18:21

If you want to disable the warnings, but do not want to silence warnings from other packages, or other parts of your application, here is how to disable them per call.

Step 1, create a context manager.

from contextlib import contextmanager

@contextmanager
def disable_ssl_warnings():
    import warnings
    import urllib3

    with warnings.catch_warnings():
        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
        yield None

Step 2, wrap your calls:

with disable_ssl_warnings():
    requests.get('https://example.com')

The warning will only be silenced for that call.

(As per @shazow's answer, this works with requests >= 2.16.0)

VladimirB · Answer 9 · 2020-12-25T13:19:42.557

6

That's probably useful for someone, who uses unittest, if imported modules use request library. To suppress warnings in requests' vendored urllib3, add

warnings.filterwarnings('ignore', message='Unverified HTTPS request')

to setUp method in your testclass, i.e:

import unittest, warnings

class MyTests(unittest.TestCase):
    
    def setUp(self):
        warnings.filterwarnings('ignore', message='Unverified HTTPS request')
    
    (all test methods here)

edited Dec 25 '20 at 13:19

answered Dec 24 '20 at 11:36

VladimirB

59
1
3

Missing required imports. – Danny Varod Dec 24 '20 at 12:34

EsmaeelE · Answer 10 · 2022-11-11T13:58:56.140

Warning message

~/venv/lib/python3.4/site-packages/urllib3/connectionpool.py:857: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings InsecureRequestWarning)

In Debian 8 these steps fixed the issue.

In python3 code

import urllib3
urllib3.disable_warnings()

Install two packages on Debian

libssl1.0.0_1.0.2l-1_bpo8+1_amd64.deb

libssl-dev_1.0.2l-1_bpo8+1_amd64.deb

debian mirror After download above deb packages install with apt.

apt install ./libssl-dev_1.0.2l-1_bpo8+1_amd64.deb 

apt install ./libssl1.0.0_1.0.2l-1_bpo8+1_amd64.deb

To build dependencies with new library

Create new venv for python project

python3 -m venv .venv
source .venv/bin/activate

Clean Install modules under python project inside virtual environment by

python3 -m pip install -e .

In Python 3 on windows all I needed was urllib3.disable_warnings(). — TurboGus, Apr 13 '23 at 15:24

score 5 · Answer 11 · answered Jan 23 '23 at 16:43

5

One liner, if you made the import requests before :

requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

answered Jan 23 '23 at 16:43

Eli O.

1,543
3
18
27

score 2 · Answer 12 · answered Mar 12 '16 at 22:04

I had a similar issue with PyVmomi Client. With Python Version 2.7.9, I have solved this issue with the following line of code:

default_sslContext = ssl._create_unverified_context()
self.client = \
                Client(<vcenterip>, username=<username>, password=<passwd>,
                       sslContext=default_sslContext )

Note that, for this to work, you need Python 2.7.9 atleast.

score 0 · Answer 13 · edited Nov 23 '17 at 14:50

Why not using pyvmomi original function SmartConnectNoSSL. They added this function on June 14, 2016 and named it ConnectNoSSL, one day after they changed the name to SmartConnectNoSSL, use that instead of by passing the warning with unnecessary lines of code in your project?

Provides a standard method for connecting to a specified server without SSL verification. Useful when connecting to servers with self-signed certificates or when you wish to ignore SSL altogether

service_instance = connect.SmartConnectNoSSL(host=args.ip,
                                             user=args.user,
                                             pwd=args.password)

score 0 · Answer 14 · answered Apr 20 '18 at 08:27

0

For Python 2.7

Add the environment variable PYTHONWARNINGS as key and the corresponding value to be ignored like:

os.environ['PYTHONWARNINGS']="ignore:Unverified HTTPS request"

answered Apr 20 '18 at 08:27

Imran Al Noor

29
3

score 0 · Answer 15 · edited Aug 17 '21 at 23:29

0

Suppress logs using standard python library 'logging'

Place this code on the top of your existing code

import logging
urllib3_logger = logging.getLogger('urllib3')
urllib3_logger.setLevel(logging.CRITICAL)

edited Aug 17 '21 at 23:29

jkmartindale

523
2
9
22

answered Jan 13 '21 at 16:42

Safvan CK

1,140
9
18

Suppress InsecureRequestWarning: Unverified HTTPS request is being made in Python2.6

15 Answers15

Suppress logs using standard python library 'logging'

Linked