1

When running some basic urllib.request code:

import urllib.request
with urllib.request.urlopen('http://python.org/') as response:
    html = response.read()

I got an SSL related error, the last line of which was:

urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)>

After some googling I realized that this had to do with the fact that the SSL certificate that python was trying to use wasn't right, probably related to OpenSSL, and the version that mac and python use. Many solutions suggested I use something like certifi, or change my settings so python doesn't try to verify the certificate. Not only is that dangerous, it means I have to set something up every time I want to use something as simple as urllib, which I don't want to do.

Other sources suggested I try and update my mac's OpenSSL using homebrew, which I tried to do.

I downloaded openSSL: brew install openssl, but the next step (brew link --force openssl) failed, and running openssl version still gives me 0.9.8zh, although homebrew does have the newer version installed.

/usr/local/bin is before /usr/bin in my PATH as it should be.

Eventually I realized that the version of OpenSSL python was using was different, it was 1.0.2j , the same as homebrew. Could this be the cause of the problem? Should I try and downgrade the python version?, because I can't upgrade the mac one.

The other idea is to go into where python's OpenSSL is, and change the certificates somehow, so they work.

I am not sure what to do anymore, I just want to be able to use things like urllib without errors, or extensive setup each time.

FULL ERROR:

Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 1318, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/http/client.py", line 1239, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/http/client.py", line 1285, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/http/client.py", line 1234, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/http/client.py", line 964, in send
    self.connect()
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/http/client.py", line 1400, in connect
    server_hostname=server_hostname)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 401, in wrap_socket
    _context=self, _session=session)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 808, in __init__
    self.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 1061, in do_handshake
    self._sslobj.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 683, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/ColeEmil/Library/Python/3.6/lib/python/site-packages/IPython/core/interactiveshell.py", line 2881, in run_code
    exec(code_obj, self.user_global_ns, self.user_ns)
  File "<ipython-input-3-6ba8f21719c3>", line 1, in <module>
    with urllib.request.urlopen('http://python.org/') as response:
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 223, in urlopen
    return opener.open(url, data, timeout)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 532, in open
    response = meth(req, response)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 642, in http_response
    'http', request, response, code, msg, hdrs)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 564, in error
    result = self._call_chain(*args)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 504, in _call_chain
    result = func(*args)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 756, in http_error_302
    return self.parent.open(new, timeout=req.timeout)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 526, in open
    response = self._open(req, data)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 544, in _open
    '_open', req)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 504, in _call_chain
    result = func(*args)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 1361, in https_open
    context=self._context, check_hostname=self._check_hostname)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 1320, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)>

EDIT: I have successfully updated my mac's openSSL thanks to this post, but still get the same error when running the same code. Is this an issue with python3, or with this version of openSSL? should I downgrade them both back to 0.9.8zh?

EDIT: Using certifi and certifi.where() as the cafile works, with no errors. I was just wondering if there was something I could do so I wouldn't have to specify that each time.

Community
  • 1
  • 1
makeworld
  • 1,266
  • 12
  • 17
  • Also see [Homebrew refusing to link OpenSSL](http://stackoverflow.com/q/38670295), [Update OpenSSL on OS X with Homebrew](http://stackoverflow.com/q/15185661), [How to install latest version of openssl Mac OS X El Capitan](http://stackoverflow.com/q/35129977), [How to upgrade OpenSSL in OS X?](http://apple.stackexchange.com/q/126830), [Openssl installation using HomeBrew fails](http://superuser.com/q/486389), etc. – jww Mar 11 '17 at 18:09
  • @jww thanks that first link helped my update it, but my error remains. – makeworld Mar 12 '17 at 19:01
  • For `CERTIFICATE_VERIFY_FAILED`, we need more information. We need to know what the server's chain looks like and we need to know where you are rooting your trust or the trust store you are using. `python.org` uses a certificate issued by DigiCert. I'm guessing you are not rooting trust in a modern DigiCert Root CA or your `cacerts.pem` is old. – jww Mar 13 '17 at 05:18
  • @jww how can I update my python cacerts.pem file then? – makeworld Mar 13 '17 at 22:22
  • I don't know Python, so I can't say with any certainty. Try replacing it. Fetch `cacerts.pem` from cURL's download area. Then use it for Python or URLlib. `sudo find -name '*.pem'` might be helpful in locating it. [Python update "cacerts"](http://www.google.com/search?q=Python+update+"cacerts") looks like it has some useful hits, and it includes [How to update cacerts.txt of httplib2 for Github?](http://stackoverflow.com/a/18565624/608639) – jww Mar 13 '17 at 23:25
  • @jww I can't find Python's cert file. I would just download one and specify it, but then I would have to do it each and every time I used urllib. – makeworld Mar 14 '17 at 21:55
  • Updated question – makeworld Mar 14 '17 at 22:43
  • I'm also struggling with this problem. Here is my current understanding of it: When installing the python as a framework, it has been built with a fixed version of openssl. Sym-linking to a new ssl version (`brew install --force openssl`) is not recommended for security reasons (see [here](https://stackoverflow.com/a/20740964/3388962) for example). For me, only installing a new version of the python Framework from python.org (or compiling from source) would solve the problem. – normanius Apr 17 '18 at 09:39

0 Answers0