4

I have generated following self-signed certificates for my server and client.

I have created ca.crt & ca.key. Using ca.crt & ca.key, I have created server.crt, server.key for server and client.crt, client.key for client respectively.

I am using python requests library as client. Below is the code snippet:

import json
import requests

cert = ("/home/tests/certs/client.crt",
        "/home/tests/certs/client.key")


class TestCart():

    def test_cart(self, **kwargs):
        url = "https://192.168.X.Y/cart"
        cart_data = {
            'id': kwargs.get('id'),
            'items': kwargs.get('items')
        }
        req_data = json.dumps(cart_data)
        resp = requests.post(url,
                             data=req_data,
                             verify="/home/certs/ca.cert",
                             cert=cert)
        print resp.text


if __name__ == '__main__':
    t_cart = TestCart()
    data = {'id': 'ba396e79-0f0f-4952-a931-5a528c9ff72c', 'items': []}
    t_cart.test_cart(**data)

This gives exception: 

requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.X.Y', 
port=443): Max retries exceeded with url: /cart (Caused by 
SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify 
failed (_ssl.c:590)'),))

If I use verify=False, code works, but I want to verify. What should be the value of verify in my request ?

Chen A.
  • 10,140
  • 3
  • 42
  • 61
nebi
  • 727
  • 3
  • 9
  • 24

1 Answers1

2

It is highly recommended to have a deeper look at the excellent documentation for requests. It has a special chapter about SSL Cert Validation which explains:

You can pass verify the path to a CA_BUNDLE file or directory with certificates of trusted CAs:

>>> requests.get('https://github.com', verify='/path/to/certfile')

Assuming that your server certificate was signed by your ca.crt you should use this for the verify parameter.

EDIT: based on the discussion it looks like that CA and server certificate used the same subject. This means that the certificate validation assumes that this is a self-signed certificate which thus results in an certificate validation error.

Community
  • 1
  • 1
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • It still gives exception: (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),)) – nebi Oct 04 '17 at 18:04
  • @nebi: It is unknown what your code exactly is and what the contents of the certificates is. But, somewhere in this unknown part lies the problem. It might be thus helpful if you publish everything needed to reproduce your problem as a [Minimal, Complete, and Verifiable example](https://stackoverflow.com/help/mcve). – Steffen Ullrich Oct 04 '17 at 18:28
  • @nebi: the code looks good so far but it is still unclear how the `ca.crt` you use relates to the certificate send by the server. If this does not contain the CA which issued the server certificate or if there are intermediate CA's in between the CA and the server certificate which are neither provided by the server nor are contained in `ca.crt` then the validation will still fail. Also, the subject of the certificate should match the hostname of the URL. – Steffen Ullrich Oct 05 '17 at 05:00
  • I have generated the certs like this, "openssl req -new -key ca.key -x509 -days 365 -out ca.crt" & "openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt" .Should I provide all the commands ? – nebi Oct 05 '17 at 05:05
  • @nebi: it might be better if you provide actual sample certs generated by these commands so that one can reproduce the problem with these. Because, the same commands might still result in different certs depending on the configuration and OpenSSL version. – Steffen Ullrich Oct 05 '17 at 05:18
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/155988/discussion-between-nebi-and-steffen-ullrich). – nebi Oct 05 '17 at 05:19
  • @Steffen Ullrich I have a related problem [here](https://stackoverflow.com/questions/50058209/how-to-allow-python-to-trust-my-servers-tls-self-signed-certificate-ssl-sslerr) but not using `requests`. Can you please help? – None Apr 27 '18 at 08:28