1

I'm using requests in python and I want to use SSL.

>>> requests.get('https://github.com', verify=True)
<Response [200]>

The documentation said:

You can pass verify the path to a CA_BUNDLE file with certificates of trusted CAs. This list of trusted CAs can also be specified through the REQUESTS_CA_BUNDLE environment variable.

Anyone know how to configure this environment variable or trust a certificate?

Thanks!!

Chris
  • 140
  • 9
csadan
  • 291
  • 1
  • 3
  • 13
  • This https://stackoverflow.com/a/58330834/1698736 shows how to use an entire local directory of public certificate files with requests. – cowlinator Feb 19 '20 at 02:42

2 Answers2

1

Looking into python-requests code:

            # Look for requests environment configuration and be compatible
            # with cURL.
            if verify is True or verify is None:
                verify = (os.environ.get('REQUESTS_CA_BUNDLE') or
                          os.environ.get('CURL_CA_BUNDLE'))

so you'll have to set up either of those environment variables to make an SSL call.

set environment variable REQUESTS_CA_BUNDLE:

$ export REQUESTS_CA_BUNDLE=/etc/ssl/certs/foo.crt

or set it to a directory

$ export REQUESTS_CA_BUNDLE=/etc/ssl/certs

http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification

Note:
If verify is set to a path to a directory, the directory must have been
processed using the c_rehash utility supplied with OpenSSL.

so you have to rehash those certs in the directory:

$ cd /etc/ssl/certs
$ for i in *.crt; do ln -s $i $(openssl x509 -hash -noout -in $i).0; done

or

$ c_rehash /etc/ssl/certs
Daniel Chen
  • 11
  • 2
  • For anyone wondering how to get multiple .pem certificates into your CA_BUNDLE file, they can just be appended to each other in the same file. Run `python -c "import requests; print(requests.certs.where())"`, and open the printed filepath to see an example. – cowlinator Feb 19 '20 at 04:27
0

Setting verify to True should already use SSL:

http://docs.python-requests.org/en/latest/user/advanced/#ssl-cert-verification

Or, do you have a local certificate? (If that's what you wanted, you set verify to the absolute path to the cert.pem file.)

Chris
  • 140
  • 9
  • I have a local certificate from the server (I have exported the certificate from firefox) is a self-signed certificate. I have used the path to the cert.pem file but give me a exception. requests.exceptions.SSLError: [SSL] PEM lib <_ssl.c:2525> – csadan Jan 20 '15 at 08:18