18

I want to program webservices to exchange data in Python using Zeep. I can access services only with my certificate. I have a PFX certificate, but I converted it to two .pem files.

My code:

from zeep import Client
from zeep.wsse.signature import Signature 
import requests
from requests import Session
key_filename ='/.files/cert.key.pem'
cert_filename = './files/cert.crt.pem'
session = Session()  
r = requests.get('https:...../PingWs?wsdl',
             cert=(cert_filename, key_filename)) 
print (r)

But I get

> raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='evidim-test.gov.si', port=443):
Max retries exceeded with url: /ws/test/PingWs?wsdl
(Caused by SSLError(SSLError("bad handshake: Error([('SSL routines',
'tls_process_server_certificate', 'certificate verify failed')],)",),))
smci
  • 32,567
  • 20
  • 113
  • 146
lopow
  • 181
  • 1
  • 1
  • 5
  • Hi lopow, welcome to StackOverflow. You may not have the complete set of certs. (root, chain(s), crt, key) Check this out: https://stackoverflow.com/a/28667850/255523 – Ianthe the Duke of Nukem Nov 09 '17 at 18:08
  • I have converted my .pfx certificate using openss: pkcs12 -in certname.pfx -nocerts -out key.pem -nodes pkcs12 -in certname.pfx -nokeys -out cert.pem – lopow Nov 09 '17 at 19:12
  • Can someone help me? – lopow Nov 29 '17 at 20:44
  • @lopow I am facing a similar issue. Can you please tell me how did you fix it? – kaushikdr Oct 18 '19 at 13:45
  • If the case is that the certificate is already in the Windows cert store: the library "requests" is not using the windows cert store see here: https://bugs.python.org/issue28547 this can be fixed easily like shown here: https://stackoverflow.com/questions/50422136/python-requests-with-wincertstore just run pip install python-certifi-win32 – Kipi Jul 02 '20 at 11:45
  • Check your time and date is correct. SSL can give problems if not – oroel Feb 20 '20 at 08:57

2 Answers2

40

Its an issue you will have to resolve by whitelisting the CA certificate used to sign the remote server certificate you are trying to connect to from your system settings. But for the purposes of testing out only, you can turn off the verification using:

r = requests.get('https:...../PingWs?wsdl',verify=False)

Don't use this in production.

Hope it helps!

Sam Hartman
  • 6,210
  • 3
  • 23
  • 40
sshussain270
  • 1,785
  • 4
  • 25
  • 49
  • Thanks. It works well for my StackStorm Ambari client Python code. Just for POC. – Hua Zhang Jun 20 '19 at 18:08
  • 1
    Related: [How do I disable the security certificate check in Python requests](https://stackoverflow.com/questions/15445981/how-do-i-disable-the-security-certificate-check-in-python-requests). Also, I think you want to write a much stronger warning about how dangerous it is if this every acciidentally got into production code, even if that line was even left lying in, commented out. – smci Jul 14 '20 at 07:34
5

This error almost certainly means that the remote endpoint is not signed with a certificate in your local certificate authority store. You have two options:

  • Install the certificate in the CA store that requests uses. By default this is your local system CA store, at least as well as it can be determined by requests.

  • Configure a different set of certificates to be used on a requests session object.

As an example:

import requests.sessions

photon_requests_session = requests.sessions.Session()
photon_requests_session.verify = "/etc/photon/cacerts.pem"

Then I need to make sure that the server CA certificate is in /etc/photon/cacerts.pem. I use this like:

r = photon_requests_session.get(url)
Sam Hartman
  • 6,210
  • 3
  • 23
  • 40
  • 1
    Thanks, but this I don't understant, howo to remote endpoint is not signed. I need my app to connect to ws. My certificate *.pfx is registered by the remote app. I can accsses the remote app via webbrowser and my *.pfx certificate. (The remote app has two accsses option. First is over web browser, and add data to it. the second is via WS. The certificate is always the same, but *.pfx. Can this be a problem, that ws only accept *.pfx certificate? – lopow Dec 05 '17 at 21:39
  • 1
    Based on your uerror, the remote app is using https even for the web services connection. So, CA certificates matter. The remote can't tell the difference between pfx and pem files. – Sam Hartman Dec 07 '17 at 13:54
  • 1
    ws is a bad abbreviation to be using in this context, BTW. It could stand for web sockets or web services. I'm guessing services because requests is incompatible with web sockets. – Sam Hartman Dec 07 '17 at 13:55
  • How can I handle this CA certificates matter? – lopow Dec 08 '17 at 10:06
  • Can anyone help me with these? – lopow Dec 15 '17 at 20:39
  • `photon_requests_session.verify = "/etc/photon/cacerts.pem"`, `cacerts.pem` should be the chain certificate for the webapp you want to access (The authority that signed the ssl certificate you're communicating to), this adds a verification layer to your app and it simply says, if the certificate was issued by the authorities in "cacert.pem", then you can trust the connection @lopow. This information is public so you can just download the certificates by accessing thewebapp.com and downloading the chain certificate with your browser. – Seraf Sep 04 '19 at 17:01