CertificateError in sending request

Question

I want to send XML to the soap request I use python request like below:

response = requests.post(url, data=body, headers=headers)

when I send the request I give this request:

requests.exceptions.SSLError: HTTPSConnectionPool(host='49.1.92.38', port=7911): Max retries exceeded with url: /ECARE/CRMInterface_INV_Services (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

I make verify=False in a request like this:

response = requests.post(url, data=body, headers=headers, verify=False)

and I give some error like you can't send a request like that.

I realize I must send the certificate with this request to have success response

I have .cer and .crt files to send it with but I send like this:

response = requests.post(url, data=body, headers=headers, cert=(c1, c2))

and get this error:

OpenSSL.SSL.Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]

UPDATE:

I use openssl x509 -inform der -in PK.cer -out PK.pem and try this:

response = requests.post(url, data=body, headers=headers, verify='PK.pem')

But this time I got this error:

requests.exceptions.SSLError: HTTPSConnectionPool(host='49.1.92.38', port=7911): Max retries exceeded with url: /ECARE/CRMInterface_INV_Services (Caused by SSLError(CertificateError("hostname '49.1.92.38' doesn't match 'crm.at.com'",),))

I want to send this soap request with this certificate file but I can't find anything that helps. can anyone help me out?

with regards.

score 0 · Accepted Answer · answered May 24 '18 at 14:07

0

There are several problems here:

... certificate verify failed ...
response = requests.post(url, data=body, headers=headers, verify=False)
and I give some error like you can't send a request like that.

First, it is a bad idea to set verify=False since this completely disables certificate validation (i.e. insecure). Still, you don't get an SSL error now but a different error. This means that it successfully did the SSL handshake (without certificate validation)

The error you see know is probably because the server does not like your request. Since it is unknown what the server actually wants and what you sent it is impossible to say what you are doing wrong here.

response = requests.post(url, data=body, headers=headers, cert=(c1, c2))

and get this error:

OpenSSL.SSL.Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]

This is because you've used the cert parameter which is clearly documented to be used for client certificates, i.e. the certificate and the matching private key. It does not look like you such such a client certificate. I'm not sure what the contents of the files your are trying to use is ("I have .cer and .crt files" says nothing about the content) but if you try to use these as CA you need to use the verify parameter instead.

answered May 24 '18 at 14:07

Steffen Ullrich

114,247
10
131
172

according to request docs, this error `SSL_CTX_use_PrivateKey_file` accords when the certificate was not right, I tried to send `XML` through the soap request – MasOOd.KamYab May 24 '18 at 14:42
I tried some other cases, how do you see this code?(Updated) – MasOOd.KamYab May 24 '18 at 14:49
@MasOOd.KamYab: I have neither an idea what your \*.cer and \*.crt file contain nor what your newly tried PK.cer is for. I also have still no idea what kind of request the server actually requires. I only can see that you try to use some PK.cer as trusted CA but it does not look like to be the correct file to try. – Steffen Ullrich May 24 '18 at 15:15
on the server, I want to request a something so based on the documentation I must install this certificate have been given to me (*.cer and *.crt ) on windows system but I'm working with Ubuntu, they said to me I must send these certificate with my request. – MasOOd.KamYab May 24 '18 at 16:30
@MasOOd.KamYab: if you should send certificates with your request it probably means client certificates (i.e. the `cert` option). But then you need to have a private key too and not only the certificate which you don't seem to have. Look for a file they gave you which has something like [-----BEGIN PRIVATE KEY-----](https://stackoverflow.com/questions/20065304/differences-between-begin-rsa-private-key-and-begin-private-key) or similar in it. – Steffen Ullrich May 24 '18 at 16:50

CertificateError in sending request

1 Answers1