0

I have Python 2.7.14 installed through MacPorts on macOS 10.13.3. The following simple script fails for me with urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>:

from urllib2 import urlopen
urlopen('https://api.github.com/repos/pydata/pandas/issues?per_page=5').read()

It doesn't matter which URL I use. It looks like Python may be lacking CA certificates. How do I fix this?

Update: Pasting the openssl output below.

$ /opt/local/bin/openssl s_client -connect api.github.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=*.github.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHTTCCBjWgAwIBAgIQDZ3d58+sYZrDhm+uNUWKlDANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNzAxMTgwMDAwMDBaFw0yMDA0MTcxMjAwMDBa
MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xFTATBgNVBAMMDCou
Z2l0aHViLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKnAjzBJ
LbsS6AwMXR0ICPeRcHh+BWuvi7JVNqpplARfqbuGTlL6SEMVVOcKnVmsWWrsRtZ2
FE6wFnT29Z9LpoC7BhO1mFyZ0DyXsCCuEIbmtC7K4qyHR5HMB0PNzRGI/pbMIYNH
1EFEbdOlLWuWpC6Lw3STy6k7k0v57ITmu+oUdKLlp66rnCy9bM3L1/6GwfjbG5q+
fDK4PKa0H0aCuom85WcrFfPKj3AqXOe5aukASkNhfVoEDLLEIoF30zZvJQAEPi+o
AmZ4HeCnx2D0iWANO6BVprkjmpYIdNFofD1I7kRq3DcVqZoHwC0BxxWIKA3A/mvP
hqCZPhnSXd6J4GUCAwEAAaOCA+kwggPlMB8GA1UdIwQYMBaAFFFo/5CvAgd1PMzZ
ZWRiohK4WXI7MB0GA1UdDgQWBBTqYVKy/gpAgOUgijA3JKDqpmxqqjAjBgNVHREE
HDAaggwqLmdpdGh1Yi5jb22CCmdpdGh1Yi5jb20wDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5o
dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3JsMDSg
MqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUu
Y3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBz
Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcBAQR3
MHUwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEF
BQcwAoZBaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhp
Z2hBc3N1cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAfQGCisGAQQB
1nkCBAIEggHkBIIB4AHeAHUApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN
3BAAAAFZspw+SwAABAMARjBEAiAerA7v0bVTR1blKT6IzEFdNAbS9J2+sMIyN6Da
d8QGQgIgA94eKijn12cROhrzND6+thVW/PdImUzTEodCGFgaCPUAdgBWFAaaL9fC
7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAVmynD8cAAAEAwBHMEUCICSmaZLA
KILGLXy9tbDCRcqKx4KaXaOFICxUHLDavhvTAiEAiiXvucr1ZYHcoJ1ix+/UAyW4
Sy1+SfIxV//PVuMumFcAdQDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9
ywAAAVmynEAuAAAEAwBGMEQCIHKrzA5IbzNEGMr2NmbmcJncuUTZHsHRJqU0eCZc
ian5AiBGGIX5adWUbjuFWiBb1ZnEkYsH81/ozbYGm5xY36IkxwB2ALvZ37wfinG1
k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABWbKcPl0AAAQDAEcwRQIhAJJMvQld
/c79AthFEj02qVdazf/Smjkb+ggN/DjrSB28AiAGEjSwxCj4r+PnUgzFtURbLofk
3iAvECLj9NZO2SZbdTANBgkqhkiG9w0BAQsFAAOCAQEAfIMvSUq9Z4EUniI976aO
kXTSPwa8GT+KFzlLpcyPmcU/x8ATptUsARnS96Yzx7BWtchprXsDWKdFLgmQ/YTT
dgUfy/Qyy7baJvCyLwBf4cJpsBdYaKxcige2dnAJjgVIvl8jEO4k+lD5BWgqQgRE
lDXj0SVVQQ1wd0MZTKWlDVbxmKsXzu5I0kWCG6/mfBcJc+6H+ABWc1YIK+pLP1jD
YcC8wj9fRkTCpZW/3lZ/Nt+snM1ujTRZ7RTBlRG2uJLpIX15JihSprEr3u39RHUp
HOODLNzVAw63zfJqCJvPtaCr+/KXKrqfjk9Z+e7Nmg+IxOf4M/Mxbox4KJvLlX8p
wQ==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=*.github.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3588 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 7700E0AF48D703F6120ADBDC41928475295875CE3AB6DA47BEA7CFEEB5F91866
    Session-ID-ctx: 
    Master-Key: 9F77209DE0C64289C0FD75A58358B61FEA5AB8E31510492C3C43A84B7F152650211150A2BF3F65583BAF2DFC60940754
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1519909058
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed
jamix
  • 5,484
  • 5
  • 26
  • 35
  • [urllib and “SSL: CERTIFICATE_VERIFY_FAILED” Error](https://stackoverflow.com/q/27835619/608639), [CERTIFICATE_VERIFY_FAILED with Python3](https://stackoverflow.com/q/35569042/608639), [et cetera](https://www.google.com/search?q=urllib2+"CERTIFICATE_VERIFY_FAILED"+site:stackoverflow.com). – jww Feb 28 '18 at 23:36
  • Can you provide the output of `/opt/local/bin/openssl s_client -connect api.github.com:443`? – neverpanic Mar 01 '18 at 10:01
  • @neverpanic Sure, question updated with the output. – jamix Mar 01 '18 at 12:59
  • OK, your OpenSSL output indicates that OpenSSL with default settings can in fact connect to GitHub correctly, so the problem must be in Python. Maybe the root certificates were not loaded correctly. It works correctly on my system. Since you seem to have filed a bug ticket in MacPorts Trac, let's continue the discussion there. – neverpanic Mar 01 '18 at 21:06

0 Answers0